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Preface 



In July 1998, a summer school in cryptology and data security was organized 
at the computer science department of Aarhus University, Denmark. This took 
place as a part of a series of summer schools organized by the European Educa- 
tional Forum, an organization consisting of the research centers TUGS (Finland), 
IPA (Holland) and BRIGS (Denmark, Aarhus) . The local organizing committee 
consisted of Jan Gamenisch, Janne Ghristensen, Ivan Damgaard (chair), Karen 
Mpller, and Louis Salvail. The summer school was supported by the European 
Union. 

Modern cryptology is an extremely fast growing field and is of fundamental 
importance in very diverse areas, from theoretical complexity theory to practical 
electronic commerce on the Internet. We therefore set out to organize a school 
that would enable young researchers and students to obtain an overview of some 
main areas, covering both theoretical and practical topics. It is fair to say that 
the school was a success, both in terms of attendance (136 participants from 
over 20 countries) and in terms of contents. It is a pleasure to thank all of the 
speakers for their cooperation and the high quality of their presentations. 

A total of 13 speakers gave talks: Mihir Bellare, University of Galifornia, 
San Diego; Gilles Brassard, University of Montreal; David Ghaum, DigiGash; 
Ronald Gramer, ETH Zurich; Ivan Damgard, BRIGS; Burt Kaliski, RSA Inc.; 
Lars Knudsen, Bergen University; Peter Landrock, Gryptomathic; Kevin Mc- 
Gurley, IBM Research, Almaden; Torben Pedersen, Gryptomathic; Bart Preneel, 
Leuven University; Louis Salvail, BRIGS; Stefan Wolf, ETH Zurich. 

It was natural to take the opportunity kindly offered by Springer- Verlag to 
publish a set of papers reflecting the contents of the school. Although not all 
speakers were able to contribute, due to lack of time and resources, this volume 
does cover all the main areas that were presented. The intention of all papers 
found here is to serve an educational purpose: elementary introductions are given 
to a number of subjects, some examples are given of the problems encountered, 
as well as solutions, open problems, and references for further reading. Thus, in 
general we have tried to give an up-to-date overview of the subjects we cover, 
with an emphasis on insight, rather than on full-detail technical presentations. 
Several results, however, are in fact presented with full proofs. The papers have 
not been refereed as for a journal. 

I would like to thank all of the authors for their contributions and the hard 
work and time they have invested. 



Ivan Damgard 
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1 Introduction 

This short article is intended to complement my talk. I would like to try to 
introduce you to a certain, relatively new sub-area of cryptography that we have 
been calling practice- oriented provable-security. It is about applying the ideas of 
“provably security” to the derivation of practical, secure protocols. I believe it 
is a fruitful blend of theory and practice that is able to enrich both sides and 
has by now had some impact on real world security. 

A few years ago, provable security was largely known only to theoreticians. 
This has been changing. We are seeing a growing appreciation of provable secu- 
rity in practice, leading in some cases to the use of such schemes in preference 
to other ones. Indeed it seems standards bodies and implementors now view 
provable security as an attribute of a proposed scheme. This means that a wider 
audience needs an understanding of the basic ideas behind provable security. 

This article is directed at practioners and theoreticians alike. For the first 
I hope it will help to understand what provable security is and isn’t, why it is 
useful, how to evaluate the provable security of a scheme, and where to look for 
such schemes. For the second group, it can serve to acquaint them with how the 
ideas with which they are familiar are being applied. 

I will begin by describing the basic idea behind provable security. (For many 
of you, this will be mostly recall, but some novel viewpoints or examples may 
enter.) Next, I will discuss the practice-oriented approach. I will discuss its main 
ideas, the problems it has addressed, and briefly survey known results. I hope 
to leave you feeling there is scope here both for interesting research and for 
application. 



2 Protocols, Primitives, Proofs and Practice 

The basic task in cryptography is to enable to parties to communicate “securely” 
over an insecure channel, namely in a way that guarantees privacy and authen- 
ticity of their transmissions. (There are many other tasks as well, but we will 
begin by thinking about this basic one.) 
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2.1 Protocols and Primitives: The Problem 

Protocols: the end goal. To enable secure communication, one wants cryp- 
tographic protocols or schemes. For example, an encryption scheme enables users 
to communicate privately. Such a scheme is specified by a pair {£,T>) of algo- 
rithms. The first, run by the sender, takes a key and the plaintext M to create 
a ciphertext C, which is transmitted to the receiver. The latter applies T>, which 
takes a key and the received ciphertext to recover the plaintext. (Roughly, the 
security property desired is that an adversary can’t learn anything useful about 
the plaintext given the ciphertext, but we will get into this more later.) They key 
could be a shared one (this is the private key or symmetric setting) or the keys 
for encryption and decryption could be different (the public key or asymmetric 
setting) . Designing an encryption scheme means designing the two algorithms £ 
and T>. 

Similarly, a message authentication scheme (or protocol) enables parties to 
tag their data so that the recipient is assured that the data originates with the 
person claiming to have sent it and has not been tampered with on the way. 

The design of such protocols is the end goal for the cryptographer. However, 
it is not an easy one to reach. What makes it reachable at present is that we 
have very good primitives on which to base these protocols. 

Primitives: the tools. Julius Caesar also wanted to design protocols. He had 
a much harder time than we do today, because he didn’t have DES or the RSA 
function. 

The latter are examples of what I will call atomic primitives. Certainly, they 
are cryptographic objects of some sort. What is it that distinguishes them from 
protocols? The distinction is that in their purest and rawest state, atomic prim- 
itives don’t solve any cryptographic problem we actually care about. We must 
use them appropriately to construct protocols to solve the problems that matter. 
For example, DES based CBC encryption is a way of using DES to do symmetric 
encryption. By first hashing a message and then decrypting under RSA we have 
a possible way to do digital signatures based on the RSA function. (Whether 
these ways are good or bad ways of accomplishing the goal is another question, 
to be addressed later.) Thus, atomic primitives are simple building blocks that 
must be put together to yield protocols. 

Good atomic primitives are rare, as are people who understand their work- 
ings. Certainly, an important effort in cryptography is to design new atomic 
primitives and cryptanalyze them and old ones. This, however, is not the part of 
cryptography I want to talk about. The reason is that the design (or discovery) 
of good atomic primitives is more an art than a science. On the other hand, Fd 
like to claim that the design of protocols can be made a science. 

The question. We will view a cryptographer as an engine for turning atomic 
primitives into protocols. That is, we focus on protocol design under the assump- 
tion that good atomic primitives exist. Some examples of the kinds of questions 
we are interested in are these. What is the best way to encrypt a large text file 
using DES, assuming DES is secure? What is the best way to design a signature 
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scheme using the RSA function, assuming the latter is one-way? How “secure” 
are known methods for these tasks? What do such questions even mean, and can 
we find a scientific framework in which to ask and answer them? 

The problem. The problem with protocol design is that a poorly designed 
protocol can be insecure even though the underlying atomic primitive is good. An 
example is ECB (Electronic Code-Book) mode encryption with a block cipher. It 
is not a good encryption scheme because partial information about the plaintext 
leaks. Yet this is no fault of the underlying atomic primitive (typically DES). 
Rather, the atomic primitive was mis-used. 

Indeed, lots of protocols are broken. Yet the good atomic primitives, like 
DES and RSA, have never been convincingly broken. We would like to build on 
the strength of atomic primitives in such a way that protocols can “inherit” this 
strength, not loose it! 



2.2 Provable Security: Reductions 

The idea of provable security was introduced in the pioneering work of Gold- 
wasser and Micali [26] . They developed it in the particular context of asymmetric 
encryption, but it soon spread to be applied to other tasks. (Of these, the most 
basic were pseudorandomness [16,40,25] and digital signatures [27]). 

What is provable security? The paradigm is as follows. Take some goal, like 
achieving privacy via encryption. The first step is to make a formal adversarial 
model and define what it means for an encryption scheme to be secure. With 
this in hand, a particular scheme, based on some particular atomic primitive, 
can be analyzed from the point of view of meeting the definition. Eventually, one 
shows that the scheme “works” via a reduction. The reduction shows that the 
only way to defeat the protocol is to break the underlying atomic primitive. In 
other words, there is no need to directly cryptanalyze the protocol: if you were 
to find a weakness in it, you would have unearthed one in the underlying atomic 
primitive. So you might as well focus on the atomic primitive. And if we believe 
the latter is secure, we know, without further cryptanalysis of the protocol, that 
the protocol is secure. 

An important sub-part of the last step is that in order to enable a reduction 
one must also have a formal notion of what is meant by the security of the under- 
lying atomic primitive: what attacks, exactly, does it withstand? For example, 
we might assume RSA is a one-way function. 

Here is another way of looking at what reductions do. When I give you a 
reduction from the one-wayness of RSA to the security of my protocol, I am 
giving you a transformation with the following property. Suppose you claim 
to be able to break my protocol. Let P be the program that does this. My 
transformation takes P and puts a simple “wrapper” around it, resulting in a 
protocol P' . This protocol P' provably breaks RSA. Conclusion? As long as we 
believe you can’t break RSA, there could be no such program P. In other words, 
my protocol is secure. 
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Those familiar with the theory of NP-completeness will recognize that the 
basic idea of reductions is the same. When we provide a reduction from SAT to 
some problem we are saying our problem is hard unless SAT is easy; when we 
provide a reduction from RSA to our protocol, we are saying the latter is secure 
unless RSA is easy. 

Here, I think, is a beautiful and powerful idea. Some of us by now are so 
used to it that we can forget how innovative it was. And for those not used to 
it, it can be hard to understand (or, perhaps, believe) at first hearing, perhaps 
because it delivers so much. Protocols designed this way truly have superior 
security guarantees. 

Nomenclature. In some ways the term “provable security” is misleading. As 
the above indicates, what is probably the central step is providing a model and 
definition, which does not involve proving anything. And one does not “prove 
a scheme secure:” one provides a reduction of the security of the scheme to the 
security of some underlying atomic primitive. For that reason, I sometimes use 
the term “reductionist security” to refer to this genre of work. 

The complexity-theoretic approach. The precise formalization of prov- 
able security can take many forms. The theoretical literature has chosen, for the 
most part, to develop it in a complexity theoretic framework where one talks 
about “polynomial time” adversaries and transformations, and “negligible suc- 
cess probabilities.” This approach was convenient for a field striving to develop 
a technical idea of great depth. Complexity-based cryptography has been re- 
markably successful, coming up with definitions for many central cryptographic 
primitives, and constructions based on “minimal assumptions.” For a brief in- 
troduction to this body of work, refer to the recent survey by Goldreich [24]. 

In practice? The potential for the idea of provable security to impact practice 
is large. Yet its actual impact had been disappointingly small, in the sense that 
these ideas were reflected almost not at all in protocols used in practice. Here 
are some possible reasons. 

In practice, block ciphers are the most popular atomic primitive, especially 
for private key cryptography. Yet the provable security line of work (prior to the 
development of the practice-oriented variant) omitted any treatment of schemes 
based on block ciphers: only number-theoretic atomic primitives were deemed 
adequate as a basis for protocol design. In particular some of the world’s most 
used protocols, such as CBC MAC [1] or encryption [32,2], seemed to be viewed 
as outside the domain of provable security.^ 

The main generic disadvantage of the schemes delivered by the traditional 
provable security approach is that they are inefficient.^ This is due in part to 
the complexity of the constructions. But it is also due in part to a reliance on 
inefficient atomic primitives. For example, a MAC would be constructed out of 

^ Luby and Rackoff [31] studied the Feistel structure behind DES, but what I am 
talking about is to look at protocols that use DES and ask abont their secnrity. 

^ Typically the gap relative to what is desirable in practice is enormous. In some cases 
it is small, but still seems enough to preclude usage. 
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a one-way function like RSA rather than out of a block cipher. This takes us 
back to the above. 

Finally, some aspects of the complex! ty-theoretic approach unfortunately dis- 
tanced provable security from practice. For example, practioners need numbers: 
how many cycles of adversary computation can the scheme withstand, how many 
bits is the security parameter? These are only loosely captured by “polynomials” 
or “negligible probabilities.” To make provable security useful, reductions and 
security analyses must be concrete. Theoreticians will say, correctly, that this 
information can be obtained by looking at their proofs. But this view obscures 
the importance of working on improving the security of reductions.^ 

Practice-oriented provable security attempts to remedy this by appropriate 
paradigm shifts. 

3 Practice-Oriented Provable Security 

Practice-oriented provable security as I discuss it was introduced in a set of 
papers authored by myself and Phil Rogaway [8,7,6]. We preserve and focus 
on the two central ideas of the provable security approach: the introduction 
of notions, or definitions that enable us to think about protocols and atomic 
primitives in a systematic way, and the idea of doing reductions. But we modify 
the viewpoints, models, and problems treated. Here are some elements of the 
approach and work to date. 



3.1 Using Block Ciphers 

Block ciphers like the DES are the most ubiquitous tool in practical crypto- 
graphic protocol design. However, as indicated above, traditionally nothing was 
proved about protocols that use them. An important element of our line of work 
is to integrate block ciphers into the fabric of provable security. On the one hand 
we analyze existing schemes that use block ciphers to assess how well they meet 
strong, formal notions of security; on the other hand we design new schemes 
based on block ciphers and show they meet such notions. In the first category 
are our analyses of the CBC MAC [7] and analyses of various modes of operation 
of a block cipher [5] . In the second category are constructions like the XOR MAC 
[6] or the cascade [4]. 

Key to these results (and perhaps more important than any individual re- 
sult) is that we treat block ciphers systematically by formally modeling them in 
some way. Specifically, the suggestion of [7], followed in the other works, was to 
model a block cipher as a finite pseudorandom function (FPRF) family. (The 
fundamental notion of a pseudorandom function family is due to Goldreich, Gold- 
wasser and Micali [25]. The finite variant was introduced in [7].) Roughly, we are 

® This is not to say concrete security has always been ignored. One person who from 
the beginning has systematically addressed concrete security in his works is Claus 
Schnorr. See any of his papers involving cryptographic reductions. 



6 



Mihir Bellare 



assuming that as long as you don’t know the underlying key, the input-output 
behavior of a block cipher closely resembles that of a random function. 

Thus, the theorems in the mentioned papers say that a scheme (eg. CBC 
MAC) is secure unless one can detect some deviation from random behavior in 
the underlying block cipher. Underlying this claim is a reduction, as usual in the 
provable security approach, showing how to break the cipher given any way to 
break the scheme based on it. 

The idea of treating block ciphers as pseudorandom functions provides a fresh 
way of looking at block ciphers from both the design and usage perspective. On 
the one hand, this view can form the basis for analyses of many other block 
cipher based schemes. On the other hand, we suggest it be a design criterion for 
future block ciphers (a view that new efforts such as AES do seem to support) 
and that existing ciphers should be cryptanalyzed to see how well they meet this 
goal. 



3.2 Concrete Security 

Practice oriented provable security attempts to explicitly capture the inherently 
quantitative nature of security, via a concrete or exact treatment of security. 
Rather than prove asymptotic results about the infeasability of breaking a pro- 
tocol in polynomial time, we present and prove “exact” or “concrete” reductions. 
Our results have the form: “If DES withstands an attack in which the adversary 
gets to see 2^® plaintext-ciphertext pairs, then our protocol is secure against an 
adversary who can run for t steps, for the following value of t.” This enables a 
protocol designer to know exactly how much security he/she gets. And it brings 
a new dimension to protocols: rather than just being secure or non-secure, one 
can be “more” secure than another. 

For example, the theorem of [7] characterizing the security of the CBC MAC 
says that an adversary who runs for time t and sees q correctly MACed messages 
has chance at most e -I- {Zq^n^ + l)/2* of correctly forging the MAC of a new 
message, where I is the block length of the underlying cipher, n is the number 
of blocks in any message to which the MAC applies, and e captures the security 
of the cipher, specifically being the chance of detecting a deviation of the cipher 
from random behavior in time t + 0{nql) given nq input-output examples of the 
cipher under the same key. (This e is of course a function of the key length of the 
underlying cipher, but the latter does not need to appear explicitly.) Thus, a user 
sees exactly how the chance of forgery increases with the number of messages 
MACed. 

Another aspect of the concrete security treatment is to try to preserve as 
much as possible of the strength of the underlying atomic primitive in transform- 
ing it to the protocol. This means we aim for reductions as strong as possible. 
This is important because reduction strength translates directly to protocol effi- 
ciency in practice. A weak reduction means that to get the same level of security 
in our protocol we must use larger keys for the underlying atomic primitive, and 
this means slower protocols. If the reduction is strong, shorter keys will suffice 
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and the protocol is more efficient. Reduction quality plays a significant role in 
[7,6,10,12,4,5] all of which achieve tight or close to tight reductions. 

We found that improving the concrete security was a rich and rewarding line 
of work, and thinking about it greatly increases understanding of the problem. 

In [5] we also concern ourselves with how different formalizations of a notion 
(in this case, secure encryption) are affected when concrete security is an issue. 



3.3 Security Versus Attacks 

Practitioners typically think only about concrete attacks; theoreticians ignore 
them, since they prove the security. Under the practice oriented provable secu- 
rity approach, attacks and security emerge as opposite sides of the same coin, 
and complement each other. Attacks measure the degree of insecurity; our quan- 
titative bounds measure the degree of security. When the two meet, we have 
completely characterized the security of the protocol. 

For example, the security of the CBC MAC shown in [7] is the flip-side of 
attacks like those of Preneel and Van Oorschot [37]. (The latter say that the 
CBC MAC can be broken once 2*/^ messages have been MACed, where I is the 
block length of the underlying cipher. We say, roughly, that it can’t be broken 
when fewer than this many messages are MACed.) Thus the results of [7,37] 
complement each other very well. Yet, the literature on these subjects does not 
reflect this duality appropriately. 

We found that even when proofs are provided, much is to be gained by finding 
the best possible attacks. We find new kinds of attacks, which break the system 
as measured by our more stringent notions of security: an encryption scheme is 
broken of you can tell whether the message encrypted was 0 or 1, not just if you 
find the key. This is actually important in practice. Meanwhile, these attacks 
provide, effectively, the lower bounds to our concrete security analyses, telling 
us whether the proven security is optimal or not. Publications in which we assess 
the optimality of our reductions via attacks include [6,4,5]. 

3.4 The Random Oracle Model 

Sometimes, using pseudorandom function families or one-way functions alone, 
we are not able to find schemes efficient enough for practice. This is true for 
example in the case of public key encryption or signatures. In such cases, we 
turn to the random oracle paradigm. 

The random oracle paradigm was introduced in [9] as a bridge between theory 
and practice. The idea is a simple one: namely, provide all parties — good and bad 
alike — with access to a (public) function h; prove correct a protocol assuming 
h is truly random, ie. a random oracle; later, in practice, set h to some specific 
function derived in some way from a standard cryptographic hash function like 
SHA-1 [33] or RIPEMD-160 [21]. 

We used the random oracle paradigm most importantly to design OAEP 
[10] and PSS [12]. These are schemes for (public key) encryption and signature 
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(respectively), the most popular versions of which use RSA as the underlying 
primitive. (Both OAEP and PSS are, more accurately, padding or formatting 
mechanisms which are applied to a message before the appropriate RSA opera- 
tion is applied.) They are as efficient as previously used or standardized schemes, 
but, unlike them, provably achieve strong notions of security in the random or- 
acle model, assuming RSA is a one-way function. 

RSA Corporation publishes a standard for RSA based encryption called 
PKCS#1. (It is a widely used standard, implemented in Netscape and other 
browsers, and used in SSL.) Much publicity was given recently to a chosen- 
ciphertext attack on PKCS#1 that was discovered by Bleichenbacher [L5]. RSA 
Corporation has now revised the protocol, adopting OAEP in PKCS#1 v2.0 
[38]. The rationale for that move is that our protocol had been proven to re- 
sist chosen-ciphertext attacks (indeed Bleichenbacher’s attacks do not work on 
OAEP, even though at the time of the design of OAEP we had not thought of 
these specific attacks), and furthermore OAEP is just as practical as the original 
PKCS#1 protocol. 

OAEP is also included in SET, the electronic payment protocol of Master- 
Card and Visa, where it is used to encrypt credit card numbers. Both OAEP 
and PSS are being proposed for the IEEE PI363 standard. 

What’s the point of the random oracle paradigm, and what does it buy you? 
It buys efficiency, plus, we claim, security guarantees which, although not at the 
same level as those of the standard provable security approach, are arguably 
superior to those provided by totally ad hoc protocol design. The last point 
merits some more discussion. 

The random oracle paradigm should be used with care and understanding. 
It is important to neither over-estimate nor under-estimate what this paradigm 
buys you in terms of security guarantees. First, one must be clear that this is 
not standard provable security. The function h that we actually use in the final 
scheme is not random. Thus the question is: what has it bought us to have done 
the proof in the first place? 

The overly skeptical might say the answer is “nothing.” This is not quite 
true. Here is one way to see what it buys. In practice, attacks on schemes in- 
volving a SHA-1 derived h and number theory will often themselves treat h as 
random. We call such attacks generic attacks. In other words, cryptanalysis of 
these “mixed” schemes is usually done by assuming h is random. But then the 
proofs apply, and indeed show that such generic attacks will fail unless the un- 
derlying number-theoretic problems are easy. In other words, the analysis at 
least provably excludes a certain common class of attacks, namely generic ones. 

It is important to choose carefully the instantiating function h. The intuition 
stated in [9] is that the resulting scheme is secure as long as the scheme and the 
hash function are sufficiently “independent,” meaning the scheme does not itself 
refer to the hash function in some way. This is a fuzzy guideline which we hope 
to understand better with time. 

An important step in our understanding of the random oracle model was 
taken by Canetti, Goldreich and Halevi [19]. They indicate that there exist 
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schemes secure in the random oracle model but insecure under any instantiation 
in which we substitute a function from a small family of efficiently computable 
functions. Their examples however are somewhat contrived, and this kind of 
situation does not arise with any of the “real” constructions in the literature. 

In comparison with totally ad hoc design, a proof in the random oracle model 
has the benefit of viewing the scheme with regard to its meeting a strong and 
formal notion of security, even if this is assuming some underlying primitive 
is very strong. This is better than not formally modeling the security of the 
scheme in any way. This explains why the random oracle model is viewed in [9] 
as a “bridge between theory and practice.” 

Since we introduced this model, it has been used in other places, for example 
in the design and analysis of signature schemes [35,36,34], hash functions [13] 
and threshold encryption schemes [23] . 

3.5 New Notions: Session Key Distribution 

“Entity authentication” is the process by which a party gains confidence in the 
identity of a communication partner. It is usually coupled with the distribution 
of a “session key.” These are arguably the most basic problems for secure dis- 
tributed computation — without a correct solution there can be no meaningful 
access control or accountability; there cannot even be reliable distribution of 
work across network resources. Despite a long history and a large literature, 
this problem rested on no meaningful formal foundation. This is more than an 
academic complaint: it is an area in which an informal approach has often lead 
to work which has subsequently been found to be wrong, and in some cases the 
flaws have taken years to discover. 

In [8] we address the two party setting of the problem. It achieves provable 
security by providing a model, definitions, protocols, and proofs of correctness 
for these protocols under standard assumptions. 

The three party case of this problem may be the most well-known. It was 
first addressed by Needham and Schroeder in 1978. Its most popular incarnation 
is the Kerberos system. However this system, and existing solutions, suffer from 
the same problems discussed above. In [11] we provide provably secure protocols 
for the three party session key distribution problem. 

All our protocols are efficient and practical, viable alternatives to current 
systems. Some have been implemented. Our models have been used to study 
related key distribution problems, for example in [39]. 

4 What Provable Security Is and Isn’t 

Now that provable security is moving into practice, there are many people who 
although not trained as theoreticians, or even deeply interested in the details of 
research, need to take decisions involving claims about provable security. The 
kinds of things they need to know are: exactly what provable security provides 
and doesn’t provide; how to compare different provably secure schemes; how to 
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validate a claim of provable security. So I would like to discuss some of these 
points here. 



4.1 On Limitations 

The above has explained what provable security provides, but it is also important 
to understand its limitations. The first of these is in the model considered. One 
must ask what kinds of attacks the model encompasses. In particular, there are 
classes of attacks that do not fall into the normal fabric of provable security; these 
include timing attacks [29], differential fault analysis [18,14], and differential 
power analysis [30]. (That is, models used in provable security do not encompass 
these attacks. One should note that this does not mean specific proven secure 
schemes fall to these attacks. It just means we do not claim to have proven that 
they do not fall to these attacks. In fact if you look at specific schemes, some 
fall to these attacks, others don’t.) But it is worth investigating an extension of 
provable security that does include these attacks, a line of research suggested by 
Dan Boneh. 

Even when using a proven secure scheme, security can compromised in a 
number of ways. Sometimes, requirements may have been overlooked: we proved 
security, but for the wrong problem or in the wrong model. Or, the protocol may 
be used incorrectly. For example, a setting such as key exchange might require a 
public key encryption scheme that is secure against chosen-ciphertext attack. It 
does little good to use a proven secure scheme that is only proven secure against 
chosen-plaintext attack. This is a question of understanding what requirements 
a higher level protocol imposes on the lower level primitive. 

Or software may be buggy. If you implement the scheme incorrectly, obvi- 
ously all bets are off. Similarly the environment may be improperly administered 
leading to loss of passwords or keys. There may be insider attacks. And so on. 



4.2 On Assumptions 

Proven security does not mean that attacks (of the kind modeled) are uncondi- 
tionally guaranteed to fail. Remember that a scheme is proven secure given some 
assumption. For example, we may have an encryption scheme proven to resist 
chosen-plaintext attacks as long as the problem of factoring a number product of 
two primes is computationally infeasible. Or, as in examples above, that a mes- 
sage authentication scheme is secure as long as the underlying cipher behaves 
like a pseudorandom function family. 

If these assumptions fail, of course the proof becomes worthless. (One should 
note that failure of an assumption does not necessarily lead to attacks on the 
scheme. It just means that the proof of security is no longer useful.) This means 
that a proof of security is worth more when the assumption is weaker, ie. less 
likely to fail. An important parameter of a proof of security is thus the underly- 
ing assumption: the weaker the better. In particular this becomes something to 
consider in comparing schemes. If you have a choice between two schemes, you 
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will of course take into account many things, such as performance, ease of imple- 
mentation, exportability and so on. But on the security front, if both schemes 
are proven secure, the one making weaker assumptions is preferable. 

Comparing provable guarantees has both a qualitative and quantitative as- 
pect. Even when two schemes are based on the same assumptions, one may 
have better concrete security. (We discussed the concrete security approach in 
Section 3.2.) This means that there is less loss of security in the translation 
from the problem of the assumption to the scheme. An example is the signature 
schemes FDH and PSS [12]- both are proven secure in a random oracle model 
assuming RSA is one-way, but the reduction for PSS is tight and that for FDH 
is not, so the quantitative guarantee of PSS is better. 

How does one compare assumptions to see which is weaker? Unfortunately 
it is not always possible. Indeed, in the bulk of cases, we do not know how to 
compare the assumptions underlying various proofs of security. But it is still 
important to know about this and know when they are comparable and when 
not. 

To illustrate these issues let us look at public key encryption secure against 
chosen-ciphertext attack. We discussed (RSA based) OAEP [10] above: it is 
proven secure in the random oracle model assuming the RSA function is one- 
way. 

Dolev, Dwork and Naor [22] had designed a scheme that resists chosen- 
ciphertext attack many years prior to this. Lets call this the DDN scheme. The 
security of the DDN scheme can be proven assuming RSA is a one-way func- 
tion. Notice that this assumption is weaker than the one underlying OAEP, since 
OAEP assumes in addition that we have a hash function that behaves like a ran- 
dom oracle. As a consequence we can say that the provable security guarantee 
provided in the DDN scheme is superior to that of OAEP. In this case, a security 
comparison was possible. 

More recently, Cramer and Shoup [20] introduced a new proven-secure en- 
cryption scheme which we call the CS scheme. Unlike the schemes we have been 
discussing up to now, it is not RSA based: it assumes the hardness of a certain 
version of the Diffie-Hellman problem. How does the security of the CS scheme 
compare to that of OAEP? That is more difficult to assess. The CS scheme 
does not use the random-oracle paradigm, which is a plus. But it assumes the 
hardness of the so-called Decisional Diffie Heilman problem. (See [17] for a nice 
discussion of this problem.) This is a strong assumption, and relatively new and 
un-studied one compared to the assumption that RSA is one-way. (It would be 
much more surprising if the RSA assumption failed than if the Decisional Diffie- 
Hellman assumption failed.) In particular, we do not know how this assumption 
compares to the assumptions underlying OAEP. So, while the fact that the CS 
scheme avoids random oracles is a point in its favor, it is not really possible to 
say that one of these schemes has better security guarantees than the other in 
practice, because the assumptions are incomparable. 

If one had to choose a scheme in practice one would of course also consider 
cost. OAEP has the same cost as heuristic RSA schemes. The DDN scheme is 
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many orders of magnitude more expensive than any practical scheme, since it 
involves multiple signatures and zero-knowledge proofs, and thus is likely to be 
ruled out. The CS scheme is much cheaper than the DDN scheme, but still more 
expensive than OAEP. (Encryption in OAEP is only a few multiplications if a 
small RSA exponent is used; while in the CS scheme it is a few exponentiations. 
Decryption in the CS scheme is about five times as costly as in OAEP.) In some 
applications, this kind of increase may be tolerable; in others not. There is no 
unique answer. 



4.3 Proofs and Definitions 

Faced with a choice of protocols claiming to be provably secure, we discussed 
above some issues involved in comparing them. Another should be mentioned: 
verification of the claims. A scheme isn’t provably secure just because it is 
claimed to be so. One should check that proper formal definitions of security 
have been provided so as to know what is being proved. One should be able to 
at least cursorily verify the claims. How? Remember that a reduction consists 
of an algorithm that is an attacker for the problem we are assuming hard, using 
as a subroutine an attacker for the scheme. Look at the least for a description 
of such an algorithm. 



5 Going On 

The above has discussed provable security and its practice oriented variant in a 
general way. Next I would like to illustrate the ideas by looking in more depth at 
a central problem: encryption. The goal is to motivate the need for strong and 
formal notions of security and then show how to to adapt the seminal notions 
of [26] (given in the asymmetric setting) to the symmetric setting. With concrete 
security definitions in hand, we will turn to analyzing popular encryption modes 
like CBC or CTR and gauge their merits. We want to answer questions like: are 
the secure? Which is “better”? 

I did this in my talk, for the most part following [5], and refer the reader 
there for this materiel. Some day, I hope to extend this article by the inclusion 
of this and other materiel. 
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Abstract. The objective of this paper^ is to give an elementary in- 
troduction to fundamental concepts, techniques and results of Secure 
Computation. 

Topics covered include classical results for general secure computation 
by Yao, Goldreich & Micali & Wigderson, Kilian, Ben-Or & Goldwasser 
& Wigderson, and Chaum & Crepeau & Damgaard. 

We also introduce such concepts as oblivious transfer, security against 
malicious attacks and verifiable secret sharing, and for some of these 
important primitives we discuss realization. 

This paper is organized as follows. 

Part I deals with oblivious transfer and secure (general) two-party com- 
putation. 

Part II discusses secure general multi-party computation and verifiable 
secret sharing. 

Part III addresses information theoretic security and presents detailed 
but elementary explanations of some recent results in Verifiable Secret 
Sharing and Multi-Party Computation. 

The importance of theory and general techniques often lies in the fact 
that the true nature of security is uncovered and that this henceforth en- 
ables to explore what is “possible at all” . This then motivates the search 
for concrete and often specialized realizations that are more efficient. 
Nevertheless, many principles developed as part of the general theory 
are fundamental to the design of practical solutions as well. 



Part I 

Secure Two-Party Computation 

1 Oblivious Transfer and Match-Making 

Suppose there are two politicians who want to find out whether they both agree 
on a certain matter. For instance, they may be discussing a controversial law that 
has been proposed. Clearly, they could decide just to announce to each other 

^ This paper is based on a lecture given by the author at the 1998 Aarhus Summer- 
school in Cryptography and Data Security. An updated and extended version may 
be obtained from the author in the near future. 
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their opinion, and both of them could determine whether there is agreement. 
But this has a drawback that careful politicians may wish to avoid. If only one 
of them supports that controversial law, he may lose face. 

In other words, what they need is a method allowing two players to figure 
out if they both agree but in such a way that if they don’t, then any player that 
has rejected the matter has no clue about the other player’s opinion. Moreover, 
they may want to be able to carry out the method over a distance. 

Technically, we can model the situation as follows. There are two players, A 
and B, and each of them has a secret bit. Say that A has the bit a and B has 
the bit b. 

They want to compute a ■ b (which corresponds to the logical AND of a and 
b, and hence it is 1 if and only if a = 6 = 1) so that 

— Correctness: none of the players is led to accept a false result. 

~ Fairness: each learns the result a ■ b. 

— Privacy: each learns nothing more than what is implied by the result and 

the own input. 

Indeed, if A for example holds a = 0, then a ■ b = 0, regardless of the value 
of b. Therefore, B’s choice b remains unknown to A in this case. 

We construct a solution to this “Match-Making” problem based on an impor- 
tant primitive Oblivious Transfer (OT) (more precisely: “chosen one-out-of-two 
oblivious transfer”). An OT is a protocol between two players, a sender S and 
a receiver R, that achieves the following. S has two secret input bits, bg and 6i, 
and R has a secret selection bit s. At the end of the protocol, which may consist 
of a number of exchanges of information between S and R, R obtains the bit bg , 
but without having obtained any information about the other bit 6i_s (sender 
security). On the other hand, S does not get any information about the selection 
bit s (receiver security). 

We use OT(6o,^i,s) = bg to denote the output of an OT protocol as a 
function of the inputs. It is useful to observe that bg is actually equal to (1 © 
s)bg(Bsbi, where the operations are the usual multiplication and addition of bits. 

Sender Receiver 



In: bo, bi S {0, 1} In: s € {0, 1} 
S ^ R: OT(6o,6i,s) 



Out: bg 

Although at this point it is not clear whether OT-protocols exist and if so, 
how to construct them, we can already solve the Match-Making problem by 
assuming an OT-protocol! 

This is how. If A and B now execute the OT-protocol with A acting as the 
sender and B as the receiver, using bg = 0 and bi = a, and s = b as their 
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respective inputs, we see that B gets the value ab as output. In other words, 
OT(0, a, b) = {b(B 1)0 (Bba = ab. Finally, B simply reveals ab to A, so that both 
learn the result. And indeed, if 6 = 0, then ab = 0 no matter what a is and player 
B learns nothing more about a by the properties of OT. If a = 0, then from the 
fact that the OT-protocol doesn’t leak information about b and the fact that in 
this case B returns 0 to A in the final step no matter what b is, A doesn’t learn 
nothing more about 6 as a result of the complete protocol. 

Note that with respect to correctness and fairness, we have to assume that B 
indeed sends the correct value ab to A. Furthermore, we must assume here that 
both players take their actual choices as input to the protocol. But in any case, 
we can say that the protocol is secure for both parties if they are semi-honest. 
This means that both follow the rules of the game, but may try to learn as much 
as possible about the other player’s input. We must also assume that no crash- 
failures occur, i.e. both players remain operational throughout the protocol and 
don’t fail. 

1.1 Historical Notes 

Oblivious Transfer was originally introduced by M. O. Rabin [71], in a slightly 
different way. Namely, in his definition, the sender has just one bit b, and at the 
end of the protocol the receiver gets the bit b with probability 1/2. Otherwise 
the receiver gets “?”, and doesn’t receive the bit. The sender cannot tell what 
happened. 

Even, Goldreich and Lempel [40] later defined OT as we use it here, except 
that they require the selection bit to be random. It turned out that Wiesner [74] 
had earlier devised a similar definition in unpublished work. 

The definition used here has appeared in many works on OT. 

Soon after the invention of OT by Rabin, M. Blum [16] has conceived coin- 
flipping over the phone and certified electronic email as applications of OT. 



2 Variations and Other Applications of OT 

The Match-Making protocol is in fact just a toy example. Oblivious Transfer is 
an important primitive with many powerful applications, as we shall see. 

2.1 OT of Strings 

Suppose that instead of bits 6o and 6i, the sender in OT has two strings xq,x\ G 
{0,1}". Can we perform an OT where the sender receives the string xq if his 
selection bit s is 0 and the string xi otherwise? Note that “bitwise” OT of the n 
pairs of bits Xq, x\ of xq and xi is clearly not an option, since a cheater can for 
instance learn bits of both strings, which contradicts the requirements of string 
OT (whose definition is the obvious extension of the definition of OT of bits) . 

A general approach to this problem of oblivious transfer of strings is due to 
Brassard, Crepeau and Santha and appears in [17]. They define zig-zag functions. 
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Consider a function h : {0,1}™ ^ {0,1}", and for an arbitrary subset J of 
{1, . . . , m} and arbitrary y G {0, 1}™, let yj denote y = (?/i, . . . , ym) restricted 
to the I J| bits yi with i G J. 

A function h is a zig-zag if for any I C {1, . . . , m}, there is a J G {/, J^} such 
that for any x G {0, 1}" and for a uniformly random chosen h-pre-image y of x, 
yj gives no information about h{y) = x. 

In other words, for any fixed subset of the m bits of y, it holds that either 
this subset of the bits or the remaining bits give no information about h{y) = x, 
and which of the two cases actually hold, does not depend on a; or y. 

Given such a function h, this is how one can perform chosen one-out-of-two 
oblivious transfer of n-bit strings Xq and Xi. First the sender selects random yo 
and yi such that h(yo) = xq and h(yi) = xi. Say that the receiver wishes to get 
the string Xs- Then they execute for i = 1 . . . n the protocol OT(j/g, y\,s). As a 
result, the receiver gets all bits of applies h to it and gets Xs- Clearly, the 
sender has no information about s. 

Let’s see why it is true that at least one of the strings xq, x\ remains as 
unknown to the receiver as before the protocol. It is clear, by inspection of the 
protocol and the properties of OT, that even if the receiver deviates from the 
steps above there is some / C {!,..., m} such that he receives at best yoj and 
j/ijc. Let J, with J = / or J = be as in the definition of a zig-zag function. 
Then the receiver obtains at best j/o,J and and he has no information 

about h(?/o) = Xq, or obtains yo,j<= and yij and he has no information about 
h{yi) = xi, since J only depends on h and I. 

Constructions of zig-zag functions can be based on linear codes. It is easy to 
see that it is sufficient to construct a binary matrix with n rows such that for 
any subset I of the columns it holds that / or has maximal rank n. Finding 
preimages can be done efficiently using basic linear algebra. Here is a small 
example with n = 2 and m = 3: the first column has entries 1 and 0, the second 
1 and 1, and the third 0 and 1. Examples for larger values of n can be found for 
instance using recursion in combination with Vandermonde matrices, working 
over extension fields [17]. 

2.2 Oblivious Common String Verification 

We describe a nice application of oblivious string transfer due to Fagin, Naor 
and Winkler [41]. There are two players A and B, and each of them holds some 
secret n-bit string. Their goal is to obliviously verify whether those strings are 
equal: as a result both of them should learn whether the strings are equal, but 
nothing more than that. Obviously, a secure protocol for this task can be used 
as a means of identification in a number of scenarios. 

This is how the FNW protocol works. A has x = (xi, . . . , x„) G {0, 1}" and 
B has y = (yi,...,yn) G {0,1}" as private input. For z = A selects 

random /c-bit strings g and r^^i, and B selects random fc-bit strings Si^g and 
Sip. The parameter A: is a security parameter. In the following, if u and v are 
n-bit strings, then u + v denotes the n-bit string whose i-th bit is equal to the 
sum (modulo 2) of the f-th bit of u and the i-th bit of i = 1 . . . n. 
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Consider the bit strings a = P = a' = and j3' = 

'^Si^y^. If X = y, then clearly a + a' = (3 + (3' . Otherwise, these values are 
different with probability 1/2^ (so in order for the error to be small, k must be 
large) . 

Note that A and B can obtain the strings a, resp. (3 by one-out-of-two string 
OT. The values a' and (3' can be computed by A, and B respectively from their 
own random choices and their input strings. This is the complete protocol. 



A 



B 



In: X G {0,1}’" 
For * = 1 . . . n, 
G jo, 1}^ : random. 



In: y G {0,1}’" 

For * = 1 . . . n. 

Si, 0 ) Sip G {0,1}^ : random. 



A^ B : For i = 1 .. . n, OT(ri_o, n.i, yi) 



B ^ A : For i = 1 . . . n, OT(si^ 0 : s^p, Xi) 



= S"=i OT(si,o,Sip,Xi) 
a =Z,i=i^i.x. 



a -I- a' 



/?= Er=iOT(r^,o,r*p,yi) 

p'=Yri= 



i=l 



/3 + /3' 



Out: a + a' = (3 + f3' 



Out: a + a' = P + (3' 



Note that if one of the parties is honest, and the other party has some y^ that 
differs from Xi, then the latter receives a completely random string in the final 
exchange. There exists a variety of other solutions to this particular problem. 
See [37] for a more efficient solution based on OT. Both [41] and [37] additionally 
survey completely different approaches not based on OT. 



2.3 A Reduction 

Crepeau [33] has shown that the OT as defined by Rabin (Rabin-OT, see Sec- 
tion 1.1) and chosen one-out-of-two OT are the same in the sense that one can 
be simulated from the other in a blackbox fashion, vice versa. 

Given chosen one-out-of-two OT as a subroutine, Rabin-OT can be simulated 
as follows. The sender in Rabin-OT has a bit b to be obliviously transferred. First, 
the sender selects bits bo and b\ at random such that 6o©6i = b, and the receiver 
selects a random selection bit s. After they have executed OT(6 q, t»i, s), the 
sender selects a random bit t and sends (t, 6*) to the receiver. With probability 
1/2, t is different from s and hence the receiver obtains both bits bg and bi and 
computes b = bg (B bi. Also with probability 1/2, the receiver gets the bit he 
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already had, leaving him in the dark about the other bit by the properties of 
chosen one-out-of-two OT and hence about b. The sender doesn’t know what 
happened, since he doesn’t learn s. 



The interesting case is to simulate chosen one-out-of-two OT from Rabin-OT. 
So let the sender have input bits 6 q and bi , and let the receiver have a selection 
bit s. Furthermore, Rabin-OT is at their disposal as a subroutine. 



The sender chooses k random bits Si, ... ,6k, where k is ^security parameter. 
This value should be chosen large enough so that some error probability (to 
become clear later on) is small enough to be acceptable. 



Next, using Rabin-OT, the sender transmits these bits one by one to the 
receiver, who is expected to receive roughly half of them. It is important to note 
that with probability 1 — 1/2^, at least one of the bits is not received, and with 
the same probability some bit is received. 



Let / C {1, . . . , A:} denote the collection of j such that Sj has been received. 
Likewise, refers to the bits that have not arrived. Having selection bit s, the 
receiver writes Is = I and Ii-s = and sends the ordered pair (/q,/i) to the 
sender. The sender now knows that the receiver obtained the bits corresponding 
to /q or I\, but both events are equally likely from his point of view by the 
properties of Rabin-OT. Next, the sender adds all bits 5i,i G /q to 6q and the 
bits 5i,i G I\ to hi, and sends the resulting two bits to the receiver. Since the 
latter knows all bits 5i,i S Is, he can recover the bit bs, as required. It’s clear 
that the sender has no clue about s. 



Finally, consider a cheating receiver, who might define the sets /q,/i differ- 
ently, and perhaps learn more. However, if /q and Ii cover the full set {1, . . . , fc}, 
then with probability 1 — 1/2^ at least one of the sets, say /q, contains an index 
referring to a bit not received, which is hence completely unknown. In this case, 
the receiver doesn’t learn 6o. 
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Sender 



Receiver 



In: bo, bi € {0, 1} In: s S {0, 1} 

i5i, . . . , G {0, 1} : random 



S ^ R : Rabin-OT(i5i), . . . , Rabin-OT(i5fe) 



received: Sj,j G I 
set Is = I, 

h-s = 

/o U /i = {1, . . . ,fc} 

Zo = (©iG/o'^j) ® ^0 

Z\ = (®iG/i<5i) © bi 

zo,zi 

Out: 

bs = (©iG/s^i) © 



3 Constructions of OT-Protocols 

For OT protocols to exist, we must make assumptions about the world in which 
the players operate, for instance related to the communication channel connect- 
ing the players, or their computational abilities. 

However, besides its elegance and usefulness in protocol design, it is interest- 
ing to note that OT can be implemented under a wide variety of different such 
assumptions. 

Among these, the difficulty of factoring large random composite integers, 
the Diffie-Hellman problem (related to the difficulty of computing discrete log- 
arithms), and abstract, general assumptions such as the existence of trapdoor 
one-way permutations (which can be implemented under the RSA assumption) 
[54]. But physical assumptions suffice as well, such as the OT based on noisy 
communication channels of Crepeau and Kilian [36]. 



3.1 Necessity of Assumptions 

Why doesn’t OT exist unconditionally? Indeed suppose that a protocol for OT 
exists, making no assumptions on the computational abilities of the players, the 
communication channel or whatever. 

Then there are programs used by sender and receiver to compute the ex- 
changed messages, that given random strings and the input bits would operate 
deterministically. Moreover, we may assume that the players communicate over 
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a perfect channel, and that the players have infinite computing power. Say that 
the protocol achieves perfect correctness and always halts. 

This leads to a contradiction as shown by the following (informal) argument, 
even if we assume that the players are semi-honest. 

Given OT, there exists a protocol with similar characteristics for two play- 
ers A and B to obliviously evaluate the AND of their input bits a and b (see 
Section 1). We show that such a protocol does not exist. 

Let T denote the sequence of messages exchanged in a completed execution 
of the protocol (T is called transcript). Write xa C {0, 1}* and xb C {0, 1}* for 
the respective random strings used by A and B in the computation. 

Say that a = 0. We argue that a semi-honest A having a = 0 as input 
can always figure out the value of B's input b, thus contradicting the security 
conditions. 

If 6 = 0, then there exists a random string x'j^ G {0, 1}* such that T is 
consistent with A having input a = 1 instead of a = 0. This follows from the 
fact that B, having 6 = 0 as input, has no information about A’s input. Clearly, 
fixing the transcript T and an arbitrary x\, and setting a = 1, A can effectively 
decide whether the transcript is consistent with x'j^ and a = 1. Since we do not 
assume limits on the computational power of the players, A eventually finds such 
string x'j^. 

In case that b = 1, it is clearly impossible that T is consistent with a = 1 and 
some x'^, since in this case dipping A’s input from 0 to 1, changes the logical 
AND of the inputs: since we assumed perfect correctness, T cannot be consistent 
with two pairs of inputs (a, b) whose respective logical AND is different. 

Therefore, A decides that 6 = 0 if there exists x'y^ such that T is consistent 
with x'y^ and a = 1, and decides that 6 = 1 if no such x'^ exists. 

Similar arguments apply to the OR-function. Based on information-theory, 
one can find a more general argumentation. 



3.2 Rabin-OT 

We present a version of the original Rabin-OT [71]. Let n be the product of two 
distinct, large random primes p and q. By the assumption that factoring large 
random composite integers is infeasible it is hard to retrieve p and q given just 

n. 

However, it’s easy to generate such n with known factorization. Testing pri- 
mality can be done efficiently and by the Prime Number Theorem, the fraction 
of primes smaller than K is roughly 1/ In AT for large K . Therefore, one can just 
select a random large integer and test it for primality. After some tries one finds 
a random integer that one knows is prime. Multiplying two such primes gives n. 

^ though certainly not impossible. 

® i.e., certainly in practice. There is also a theoretical result by Adleman and Huang, 
extending a result by Goldwasser and Kilian, saying that primality can be tested in 
probabilistic polynomial time, with a negligible probability that no decision is made. 
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Rabin-OT is based on the number-theoretic fact that given two square roots 
X and z of a square y modulo n, that do not differ by a sign, one can efficiently 
compute p and q from those roots and n. Indeed, from mod n we get 

{x + z){x — z) = 0 mod n. And since x ^ ±z mod n, n doesn’t divide {x + z) 
and doesn’t divide {x — z), yet it divides {x + z)(x — z). This is only possible 
if p divides exactly one of the two terms, and q divides the other. We now just 
compute the greatest common divisor of n and (x — z) and the greatest common 
divisor of n and {x + z), to get both factors p and q. Note that greatest common 
divisor can be efficiently computed using for instance Euclid’s algorithm. 

Each square y modulo n has four distinct square roots. Indeed, modulo each 
of the factors p and g, there are two square roots. Combining them with the 
Chinese Remainder Theorem, we get 4 distinct roots modulo n. 

From the difficulty of factoring, and the analysis above, we conclude that 
that squaring modulo n is a one-way function, i.e. given just n and a random 
square y modulo n, it is infeasible to find a square root of y. Indeed, if this were 
not so, then one would select a random x, compute y as the square modulo n of 
X and compute a square root z of y given just y and n. With probability 1/2, 
x/z mod n is a non-trivial root of 1, and one can factor n efficiently. 

On the other hand, if one knows p and q, computing a root of a square is 
efficient. It’s easy to explain in the case that p and q are both 3 mod 4. Let y be 
a square modulo p, and write z^ = y mod p. Define x = mod p. Then 

2;2 = y(p-i-i )/2 = 2;P+i = = y mod n. Same story for computing square roots 

modulo q. So if one has a square modulo n and one knows p and q (both of them 
3 mod 4), one projects the problem modulo n on the factors p and q, computes 
square roots, and lifts it back with the Chinese Remainder Theorem. If p and q, 
are not both 3 mod 4, it’s more complicated. We say that squaring modulo n is 
a trapdoor one-way function. 

Without giving further details, we state that it is possible to encode a bit b 
as an integer modulo n using a public function ENCODE(6, n), such that it is 
hard to retrieve b given just ENCODE(6, n) and n, but easy given the trapdoor 
for n as well, i.e. its factorization. 

The protocol works as follows. The sender encodes the bit b that is to 
be sent by Rabin-OT by computing ENCODE(6, n). After receiving n and 
ENCODE(6, n) from the sender, the receiver selects a random x modulo n and 
sends its square y modulo n to the sender. Note y perfectly hides which out of 
the four possible roots the receiver has chosen. The sender, knowing p and q, can 
efficiently compute a random square root z of y and returns it to the receiver. 
With probability 1/2, ^ does not differ by a sign from x, and the receiver can 
factor n, and efficiently retrieve b from ENCODE(6,n). Otherwise, also with 
probability 1/2, z = ±x mod n, and the receiver doesn’t get the factorization of 
n, and hence doesn’t get closer to learning b. 
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Sender 



Receiver 



In: 6g {0,1} 

n,ENCODE(6,n) 



z : random s.t. 
= y mod n 



y 



z 



X € Z* : random 
y = x'^ mod n 



If z ^ ±cc, 
factor n, get b 
Out: b 
Else Out: ? 

It is assumed that both players are semi-honest. For sender security we have 
to assume that the receiver is computationally bounded. The security of the 
receiver is unconditional. 

3.3 OT Based on RSA 

We give an example for chosen one-out-of-two OT based on RSA [72], the well- 
known public-key encryption scheme which R. Rivest, A. Shamir and L. Adleman 
introduced in 1978. We assume that both players are semi-honest. The sender 
selects two large random distinct primes p and g, and computes n = pq, the 
modulus. Next, the sender selects an integer exponent e such that e is relatively 
prime to (p— l)(g— 1). Let the integer d satisfy de = 1 mod {p — l){q — 1) (given 
p, q and e such d is easy to compute). Now we have {x^)‘^ = {x'^Y = ^ n 
for all X. The sender keeps d secret, and sends n, e (public key) to the receiver. 

It has been proved by Alexi, Chor, Goldreich and Schnorr [1] that if a plain- 
text X is chosen at random, guessing the least significant bit of x, given just the 
ciphertext y = x^ mod n, n and e, significantly better than at random, is as hard 
as finding all bits of x. This is called a hard-core bit for the RSA function. Note 
that this result does not follow directly from the usual RSA-security assumption. 
That assumption only states that it is infeasible to recover all bits of x from y. 
In the protocol to follow, the sender in OT exploits the existence of hard-core 
bits to “mask” his bits bo and b\. 

The receiver, having selection bit s, chooses a random plain text m mod n 
and computes the cipher text Cg = m,® mod n. Let denote the least-significant 
bit of the plain-text m. 

The receiver selects the ciphertext c\-a as a random integer modulo n and 
communicates the pair of ciphertexts (cq, ci) to the sender. The sender, knowing 
the secret RSA-key, computes for each of those ciphertexts their respective least- 
significant bits To and ri. Now the sender masks the bits 6q and b\ by setting 
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6q = © ro and b[ = 6i © ri, and sending them to the receiver. The receiver 

recovers bs by computing b'^ © The bit &i_s remains concealed, since he 
cannot guess ri_g with high enough probability. Note that the selection bit s is 
unconditionally hidden from the sender, and that we have to assume that the 
receiver is semi-honest in order to guarantee sender security. 

This is essentially the OT protocol of Goldreich, Micali and Wigderson [54], 
which not only works for RSA but any other trapdoor one-way permutation as 
well (though in general, more care has to be taken to define a hard-core bit). 

4 General Secure Two-Party Computation 

It is a natural question to ask which functions other than AND or string equality 
can be obliviously evaluated. It is the answer to this question that demonstrates 
the power of oblivious transfer: all functions / with finite domain and finite image 
can be obliviously evaluated. This is due to A. Yao [75], who based his result on 
the assumption that factoring integers is intractable. The protocol below shows 
the stronger result saying that the existence of OT is sufficient for this task. This 
is due to O. Goldreich and R. Vainish [55]. 

For simplicity, think of a function / : {0, 1}"'^ x {0, 1}"® ^ {Oj l}j where ua 
and ub denote the number of input bits player A and B hold. 

The function / is assumed to be efficiently computable (polynomial time on 
a Turing-machine) and both players have agreed on a Boolean circuit computing 
/ (so in particular they both know /): 

— a directed acyclic graph with 

— UA + riB input nodes, and one output node. 

— The remaining vertices are labelled as binary negation, and two-input binary 
addition and multiplication gates. Note that these operations correspond to 
binary NOT, XOR and AND. The outputs of internal gates can be led to an 
arbitrary number of other gates (arbitrary fan-out). 

— The topology of the graph dictates the flow of the values on which the com- 
putations are performed. More precisely, the circuit computes / in the sense 
that if one assigns the bits of any input strings a, 6 to the input nodes, and 
inductively propagates the values resulting from the computations performed 
on them (according to the logic of the gates), then the output node will be 
set to /(a, h). 

It is well known that all computable functions / can be computed by Boolean 
circuits and that a Boolean circuit computing / can be constructed with a num- 
ber of nodes (gates) polynomial in the number of inputs (i.e. ua + uu in this 
case) if / is efficiently computable. 

The problem of oblivious function evaluation of / is as follows. Player A has 
input a € {0, 1}"'*, and player B has input b € {0, 1}"®. For fixed input a, b, and 
a fixed circuit computing /, the computation graph is the graph representing the 
circuit but with the flow of the values written on the edges. For a given gate in 
the computation graph, we speak of the actual inputs and the actual output. 
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We try to devise a protocol for A and B to execute such that both learn 
f{a,b), but none of them learns more than what is implied by f{a,b) and the 
own input. In the following we assume that neither player crashes, and that both 
of them are semi-honest. 

The protocol consists of three stages. 

Input Sharing. For each of the bits of his input string a, A selects two 
bits Si^A and Si^B at random such that Si^A © = ai and sends Si^B to 

B. Player B does the same to the ub inputs bits bi of his input string b, 
resulting in ti^A and ti^B- This is an additive secret sharing of the inputs, and 
the s and t values above are called shares. 

Computation. The computation proceeds inductively and in a gate by gate 
manner, possibly handling many gates in parallel. The players maintain the 
following invariant. The actual inputs to the current gate are additively 
shared. After processing of the current gate, there are uniformly random 
shares ua (held by A) and ub (held by B) such that ua®ub equals the 
actual output of the current gate and such that neither player has increased 
knowledge about the actual output. 

Output Reconstruction: Each player reveals his share in the output bit of 
the computation. The sum of these shares equals the output bit f{a,b). 

It remains to be shown how this invariant is maintained for each of the three 
types of gates. 

4.1 Addition-Gates 

Let xo,X\ denote the actual input bits, and let x = xq ® x\ denote the actual 
output bit. Then A holds xq^a and and B holds xq,_b and x\^b such that 
xo,A © xo,B = Xo and xi,a © xi,b = xi. 

Player A computes xa = xq,a © x\^a as his share in the actual output bit x 
of the current gate. For B there is a similar program, resulting in a share xb. 
We have x = x^ © xs . 

4.2 Negation-Gates 

These are simply handled by designating one player, say A, who just flips his 
share in the actual input bit, and takes the result as his share in the actual 
output bit. B just takes his share in the actual input bit as his share in the 
actual output bit. 

4.3 Multiplication- Gates 

A more interesting case is multiplication. Again, let xq,xi denote the actual 
input bits. Then A holds Xq.a and x\^a, and B holds xo,s and Xi,b such that 
Xo,A © Xo,B = Xo and xi,a © xi,b = Xi. 

Before we proceed, let’s take a look at OT once more. Suppose that player 
A has some bit a and that player B has some bit f3. How can they arrive at the 
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situation where they hold random additive shares in a • /3 but neither of them 
has gained information about a ■ P 1 

Let p be a secret random bit chosen by player A. If A and B now execute the 
OT-protocol with A acting as the sender and B as the receiver, using bo = p and 

= a 0 p, and s = /3 as their respective inputs, we see that B gets the value 
a/3 ©p as output. In other words, OT(p, a©p, /3) = (/3©l)p0/3(a©p) = a/3©p. 
A then just takes p as his share, and B takes a/3 © p as his share. We only need 
to argue that A and B do not gain knowledge about each other’s inputs as a 
result. Clearly, the security of OT implies that A doesn’t gain knowledge about 
/3, since it is B’s selection bit. Again by the security of OT, B learns only one of 
p and p © a, and since p was chosen at random by A, this doesn’t increase B’s 
knowledge about a. 



Sender A Receiver B 



p G {0,1} random 

In: a G {0,1} In: /3 G {0,1} 

A ^ B : OT(p, a © p, /3) 



Out: p Out: a/3 © p 

Now we return to handling the multiplication gates. Note that 



X = Xo ■ xi = {xo,A © xo^b){xi,a © Xi,b) = 



Xq,aXi,A © Xo,AXl,B © Xi^AXo,B © Xq.bXi^B- 

Two executions of OT with, say, A as the sender are sufficient to get to the 
random additive shares of x. A selects random bits poi and pio. 

1. A^ B: OT(poi, poi © xq,a, xi,b) = Poi © xo,axi,b- 

2. A^ B: OT(pio, Pro © xi^a, xo,b) = Pro © xi^axq^b- 

A takes as his share in x the bit xa = xo,axi^a © Poi © PWi and B takes 
xb = xo,bx\^b © xo.aX\,b © xi^axo,b © Poi © Pio as his share. 



4.4 Complexity of the Protocol 

By inspection, an upperbound on the communication costs of executing the 
protocol is 0(|C|) OT’s and 0{\C\) bits (the latter is from the initial input 
sharing), where \C\ denotes the number of gates in the circuit computing the 
function /. Handling many gates in parallel, the round complexity is upper 
bounded by the depth of the circuit C, i.e. the length of the longest path in the 
graph of C. 
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4.5 Security Discussion 

In order that the above oblivious circuit evaluation protocol satisfies the required 
correctness and privacy properties we have to assume that both players are semi- 
honest, i.e. they follow the protocol and behave exactly as required, but each of 
them separately may try to deduce from the information available to them as 
a result of the protocol execution as much as possible about the other player’s 
inputs. 

It is easy to see that if one of the players is malicious and deviates from the 
protocol, he can make the other player accept a false result, while he in fact 
knows the correct one. With an adequate definition of what it means for OT to 
be secure against malicious attacks, the protocol above would be private though. 
For fairness, we have to assume that neither player crashes before termination 
of the protocol. 

The intuition behind the analysis of privacy is that the invariant maintained 
guarantees that at each point in the execution of the protocol, the players hold 
random additive shares in the actual outputs so far and that the respective shares 
of each player does not increase knowledge about the actual output so far. It 
is only at the end of the protocol where they have random additive shares in 
the actual output that are exchanged, enabling the reconstruction of the actual 
output. 

Therefore, another way to look at the protocol is by saying that, conceptually 
speaking, it simulates a trusted host: a third party who is and can be trusted by 
both players. Given such a third party, both players secretly send their inputs to 
the host, who returns the function value to both players. This is called an ideal 
protocol. 

In an actual proof, one has to show that each player on his own, given just 
his input and the result of the computation, is able to generate efficiently a 
simulation of the protocol that is indistinguishable from the ideal protocol. 

Later we present protocols for the same task, that are secure against much 
stronger adversaries than semi-honest ones in a much broader context, and in 
fact, the security principles outlined above are the basis for defining security 
there as well (Beaver [4], Micali/Rogaway [65], Goldreich [57], Ganetti [21]). 



5 Example 

As an illustration, let’s return to the problem of Oblivious Gommon String Veri- 
fication. We show that the general protocol provides a solution for this problem. 
There are good reasons to prefer the solution of Fagin, Naor and Winkler, mainly 
because an appropriate OT withstanding attacks by malicious rather than semi- 
honest players renders the complete FNW solution secure against this kind of 
attack. 

But if we may assume the players are semi-honest, the following protocol is 
just as good. Two players A and B each hold some secret n-bit string. Write 
X = (xi, . . . , Xn) and y = (j/i, . . . , ?/„) for their respective strings. 
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Write f{xi, . . . , Xn,yi, ■ ■ ■ ,yn) = (a;i©?/i©l) • • • (x„©?/„©l). It follows that 
f{x, y) = 1 if and only if a; = y. 

From this formula for / we can easily derive a Boolean circuit: there are n 
pairs of input bits {xi^ yi). For each such pair, the bits in it are first led through 
a binary addition gate, after which the result is passed through a negation gate. 
Now there are n intermediate results, which only have to be led through an 
n-input binary multiplication gate. To be consistent with our description, we 
first write the n-input binary multiplication gate as a tree of depth logn with 
two-input binary multiplication gates only, and lead the intermediate results into 
it. 

By the method from Section 4 A and B can now obliviously verify whether 
or not they have the same string. Note that 2n oblivious transfers and 2 logn 
rounds of communication suffice. 



6 Dealing with Malicious Attacks 



Unfortunately, most protocols presented so far only work if the players are semi- 
honest. We first indicate the failures that occur in the examples we have given, 
if one of the players is cheating and deviates from the protocol, i.e. carries out 
a malicious attack. The rest of this section deals with methods to enhance the 
security of OT-protocols, achieving security even in the presence of a malicious 
attacker. We stress that we still assume that the players do not crash before the 
end of the protocol, to ensure fairness. 

As an example of a failure, although Rabin-OT is secure for the sender if the 
receiver is semi-honest and factoring large integers is hard, it is not clear that a 
receiver deviating from the steps required in the protocol couldn’t “extract” the 
factorization from the sender, even without being able to factor large numbers 
efficiently in general. It might be true that there exists a single number modulo n 
such that a square root of it reveals the factorization of n. Given such a number 
it would be easy for the receiver to get the factorization of the sender’s modulus, 
since the sender returns a square-root of any number modulo n that the receiver 
sends. Hence, the receiver would always get the bit b. On the other hand, if the 
sender would choose the modulus n as the product of three primes for instance, 
he can influence the probability with which the receiver gets the bit b. 

Fischer, Micali and Rackoff [44] presented the first realization of OT secure 
against malicious attacks, i.e. it provides security for sender and receiver even if 
one of them deviates arbitrarily from the protocol. 

It is easy to see that the scheme based on RSA we presented is totally insecure 
against malicious attacks by the receiver: nothing prevents the receiver from 
computing the ciphertext ci_s in the same fashion as Cg, in which case the 
receiver retrieves both bo and bi at the end of the OT. 
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6.1 Notion of Security of Basic OT 

We assume that at most one of the players carries out a malicious attack. These 
are the minimum (and for some applications sufficient) requirements we have to 
make in order for OT resisting malicious attacks to make sense. 

1. If the sender is honest (so the bits bo and bi are well-defined) throughout 
the protocol, “no matter” how the receiver plays (note that if the receiver is 
corrupt, the selection bit s may not even be well-defined in general), at least 
one of the bits bo, bi remains “completely” unknown to him. ^ 

2. If the receiver is honest throughout the protocol, “no matter” how the sender 
plays, the selection bit s remains “completely” unknown to the sender. More- 
over, the receiver always gets some bit, or else just aborts and the sender is 
deemed corrupt. 

Under this definition, the string-equality protocol of [41] as presented in 
Section 2.2 is secure against a malicious attack by one of the players, for instance. 
Beaver [9,10] has a simulation based definition of secure OT. 



6.2 A General Solution in the Cryptographic Scenario 

Goldreich, Micali and Wigderson [54] have a general defense against malicious 
attacks that works in principle for any OT based on intractability assumptions. 
We give an informal overview. It involves three other important primitives: com- 
mitment schemes, mutually random coins and general zero knowledge techniques. 
Interestingly, all these primitives (including OT) can be realized under the as- 
sumption that trapdoor one-way permutations exist. 



Trapdoor One-Way Permutations. We assume that both players are re- 
stricted to probabilistic polynomial time computations, so that none of the play- 
ers is computationally powerful enough to invert one-way permutations without 
knowing a trapdoor. More precisely, this means that if a trapdoor one-way per- 
mutation is selected at random by one party, then the other party, having ac- 
cess to the description of the forward function only, cannot efficiently invert a 
randomly chosen element from its range. The party knowing the trapdoor can 
efficiently invert the function. Why is it that one party does have the trap- 
door while the other doesn’t? This is by the existence of a special probabilistic 
polynomial time algorithm called trapdoor permutation generator. On input of a 
random bit string, the generator outputs a “random” one-way permutation and 
a corresponding trapdoor. RSA (see Section 3.3) is an example of a trapdoor 
one-way permutation. 

Actually, one must require that there is a bit s so that if ba is given to the receiver, 
he still has no information about 6i_s This is to exclude the possibility that the 
receiver for instance learns 6 q © bi 
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Commitments. Conceptually, there is an analog between vaults and commit- 
ment schemes. Player A has some secret piece of information, and places the piece 
in a vault, locks it and memorizes the opening combination. He then passes the 
vault on to player B, to whom the secret information is hidden until he gets the 
secret opening information to open the vault. But in the mean time, player A 
cannot change the information stored in the vault, since it is no longer in his 
possession. Thus, the commitment is binding. At some later moment, player A 
can simply send the key of the vault to player B, who can then open it and read 
the information. 

Cryptographic, non-physical realizations of commitment schemes, can for 
instance be based on RSA. Player A generates a key-pair ((n, e), (p, q)) for RSA, 
and sends the public-key to player B. To commit to a bit b, A generates a 
random plaintext m, and computes the corresponding ciphertext c. Write p for 
its least significant bit. He sets d = b® p and sends (c, d) as the commitment 
to B. To open the commitment, A sends m and the bit b to B, who verifies 
that m is the plaintext corresponding to c and that d is equal to the sum of 
its least significant bit and b. The hiding property follows from the fact that 
the least significant bit is a hard-core bit (see Section 3.3). The commitment is 
binding since RSA is a permutation (if the public exponent e is a prime larger 
than the modulus n, for instance, B can efficiently verify that the public key 
defines a permutation without any further proofs from A, since then we have 
gcd((p — l)(g — 1), e) = 1 for sure and primality can be efficiently tested). Note 
that the binding property is unconditional and that the hiding property holds if 
B is polynomially bounded. In fact, it can be shown that one-way permutations 
are sufficient for commitments. 

This seemingly innocent primitive has far reaching applications in cryptogra- 
phy. For instance, it is sufficient to implement general zero knowledge interactive 
proofs [53,56], a method that allows one to prove “anything provable” in zero 
knowledge, i.e. to convince a sceptical judge of the veracity of an assertion with- 
out giving anymore information away than the fact that the assertion is true. ^ 



Mutually Random Coins. Another application of commitments is mutually 
random coins. Here players A and B want to establish a bit (or a string) that 
is random if one of them is honest. A simple protocol goes as follows. A selects 
a random bit b^ and sends to player B a commitment to it. Player B selects 
a random bit bs and sends it to A, who opens the commitment. The bit b is 
defined as 6 = 6^ 0 bs- 



OT Secure against Malicious Attacks. Returning to the problem of defend- 
ing against malicious attacks in OT, we now show how we can defend against 
these attacks by the techniques of [54]. 

® There is a vast literature dealing with general zero knowledge and commitment 
techniques, with many different flavours, styles and security and efficiency properties, 
but we do not discuss these any further here. 
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The key observation is that, for instance in the RSA based example of OT, if 
one of the players is honest the security of the other player is guaranteed. That’s 
not what we want, since actually we want that a player’s security is guaranteed 
if he is honest, no matter what the other player does. Nevertheless, in some sense 
this fact is the basis for achieving it: based on the primitives outlined above, an 
honest player can force the other player to be honest as well or else the protocol 
simply halts with no advantage for the corrupt player. 

This has become an important design principle throughout the field of cryp- 
tography: often it is possible to start from a cryptographic protocol that is se- 
cure if its participants are semi-honest and to transform it into a protocol secure 
against malicious adversaries, by forcing each player to prove that he behaved 
as a semi-honest participant. 

We start looking into the details. First of all, it’s useful if the randomness 
used by each player is mutually random. However, it is in the interest of both 
players not to reveal their randomly chosen bits, for obvious security reasons. Say 
that each player needs at most I random bits. Then they execute the protocol 
for achieving a mutually random bit I times in parallel where the receiver is 
the committing party, and I times in parallel where the sender is the committing 
party. However, they do not open any of the commitments used. Note that in the 
first case this implies that the receiver knows the resulting mutually random bits 
whereas the sender does not. So the receiver can use these bits later on whenever 
they are required, and in fact we will explain how the sender can verify that the 
receiver used them, in a way that is secure for the receiver. The second case is 
of course similar, with the roles reversed. 

Let’s first look at the sender’s security and let’s look at the RSA-example 
from Section 3.3. The sender wants to make sure that the receiver gets at most 
one of the bits bo,bi. It is sufficient if the receiver can convince the sender of 
the veracity of the following assertion about the ciphertexts cq , ci . One of them 
is equal to some particular string of mutually random bits, and one of them is 
equal to the RSA-function applied to some other particular string of mutually 
random bits (in this case we refer to those mutually random bits that the receiver 
knows, but the sender doesn’t). To protect the receiver in case he is honest, the 
means by which the receiver convinces the verifier of this assertion must be 
zero-knowledge . 

Roughly speaking, it is now fairly easy though tedious for the sender and 
receiver to efficiently derive by themselves from what is known to both of them, 
a description of a function F and a function-value y such that the assertion 
about the ciphertexts co,ci is equivalent to saying that there exists an x with 
F{x) = y. Furthermore, if the receiver followed the protocol, he can actually 
efficiently determine such x. 

The zero knowledge techniques from [-53] are designed for exactly this tech- 
nical situation! So in principle, the security of the sender can be guaranteed. 

As to the receiver’s security, his selection bit is protected by the fact that 
the proof of the assertion is zero knowledge. 
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Therefore, under fairly general intractability assumptions, OT that is secure 
against malicious attacks can be realized. However, it is very costly to resort 
to the powerful techniques underlying the defense. In concrete situations with 
specific implementations of OT, there may exist a more efficient way to enhance 
the security. 



Oblivious Function Evaluation and Malicious Attacks. So, are we done 
and can we now use the OT with enhanced security directly in the general 
protocol from Section 4 and obtain general oblivious function evaluation secure 
against malicious attacks by one of the players? 

No! There are many more things to be fixed first. For instance, in each current 
gate, the inputs used must be the same as the outputs of some earlier gates. 
Here a solution is to have both players always commit to their inputs at each 
current gate and have them prove to each other in zero knowledge that these 
commitments commit to the same values as the outputs of the gates that are 
supposed to deliver the inputs to the current gate. In particular, both players 
commit to their initial inputs. 

Furthermore, using similar techniques as in the case of OT with strengthened 
security above, it is not so difficult anymore to handle the full set of instructions 
from Section 4 securely at all gates. 

We return later to the techniques of GMW [54]. 



7 A Generic Solution 

Another fundamental result is by Kilian [62] , who shows constructively that OT 
is necessary and sufficient for general oblivious function evaluation, even if one 
of the players is malicious. From the previous section it should have become clear 
that this is by no means obvious. 

Given OT as a black-box ® and given a function to be obliviously evaluated 
and a circuit for it, there is a generic transformation that results in a set of 
protocols for the players to execute. It is immaterial how the OT works exactly: 
at those points in the protocols where OT is required, only calls are made to a 
black-box for doing OT. In the other direction, note that OT can be viewed as 
a oblivious evaluation of the function /(6oj bi, s) = (s 0 1)6q ® sbi. 

Another contribution of [62] concerns the round-complexity of general secure 
function evaluation, which is shown to be constant with polynomial size message 
complexity if the function can be computed by a polynomial size formula (i.e. 
the fan-out of the gates in the circuit is 1). 

We do not overview a proof of Kilian’s result, but only introduce some of its 
fundamental parts. 



It is beyond the scope of the present paper to discuss the exact security definition 
required for this result. 
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7.1 Commitment Based on OT 

Kilian shows how a commitment scheme (which he attributes to Crepeau) can 
be simulated from OT as follows. Let b be the bit that player A wants to commit 
to. A and B agree on a security parameter k. 

1. For i = \ . . .k, A selects a pair of random bits r|) such that 6 = r° 0 . 

2. For i = 1 . . . k, B selects a random bit Si. 

3. For i = 1 . . . fc, with A being the sender and B the receiver, they execute 
OT{r^i,r],Si) 

4. B takes the bits received, together with his own random choices, as ^’s 
commitment. 

5. To open the commitment, A reveals the bit b and, for i = 1 . . . n, the ordered 
pairs (r°, r\). Player B accepts the opening if and only if this information is 
consistent. 

Player A’s cheating probability is at most 1/2^: if A were able to open the 
commitment in two different ways, he would have to guess all of i?’s random bits, 
so the binding property is satisfied. The hiding property follows immediately 
from the definition of OT. 

7.2 Committed Oblivious Transfer (COT) 

COT is as OT, except that 

1. Initially, the sender is committed to his input bits 6 q, &i, and the receiver is 
committed to his selection bit s. 

2. At the end of the protocol, the receiver is committed to the received bit 

An alternative proof of Kilian’s result can be found in [35], who introduce COT 
and show that it is sufficient for secure function evaluation tolerating a malicious 
attacker, and that COT can be simulated from OT (they don’t treat the con- 
stant round issue though). The latter construction involves so-called envelope 
techniques and error correcting codes. 



8 Other Work 

Some suggestions for further reading about defining OT secure against malicious 
attacks and constructions of secure OT : Beaver addresses the pitfalls in attempts 
to define OT secure against malicious attacks and presents solutions and con- 
structions [7,9]. In [10], he gives a precise definition of OT so that when used in 
a multi-party computation protocol the protocol as a whole is secure against a 
malicious adaptive attacker. 

The above references and Crepeau [34] (besides those references we already 
mentioned) contain a host of other interesting references. 
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Part II 

General Secure Multi-party Computation 

9 Introduction 

The protocols from Sections 4 and 6.2 have an obvious extension from two players 
to n players guaranteeing correctness and privacy. This is done by using n-out- 
of-n additive sharing of bits and executions of OT between every pair of players. 
In this case, privacy of a single player is guaranteed even if the n — 1 other players 
pool their complete views on the protocol. The extension to n > 2 players of the 
protocol from Section 6.2 is even secure against malicious attacks. 

However, the fairness condition is only fulfilled by making a strong assump- 
tion on the behaviour of the players, since one party can leave the protocol 
knowing the result of the computation whereas the other remain ignorant about 
it, or simply disrupt it in an early stage. 

An important contribution of Goldreich, Micali and Wigderson [.54], is that 
they explain how privacy can be traded for fairness. In fact, they achieve the 
stronger property of robustness: it is not only infeasible for corrupted parties 
to walk away prematurely with the result of the computation and leaving the 
remaining players ignorant about it, they can’t disrupt the computation at all: if 
the corrupt players leave the computation, the remaining ones will still be able 
to complete the computation. 

More precisely, they show that even if at most a minority of the players 
perform a coordinated malicious attack, then correctness, privacy and robustness 
can be guaranteed. 

Apart from GMW-techniques we discussed in Section 6.2, they employ what 
is called verifiable secret sharing, which was first introduced by B. Ghor, S. 
Goldwasser, S. Micali and B. Awerbuch [27]. 

Before sketching the full protocol of GMW, we introduce secret sharing and 
verifiable secret sharing in the next sections. 

10 Secret Sharing with Semi-Honest Participants 

In a secret sharing scheme there is a dealer and a number of agents. The dealer 
holds some secret string s, and sends shares of s privately to each of the agents. 
These shares are computed in such a way that only certain specific subsets of 
the agents can reconstruct the secret s by pooling their shares, while others have 
no information about it. 

Secret sharing was invented independently by A. Shamir [73] and B. Blakley 
[15] in 1979. Their solutions allow the dealer to consider any number n of agents 
and any threshold t < n, such that from any subset of size at least t of the 
shares the secret s can be reconstructed uniquely and efficiently, whereas sets 
containing less than t shares contain no information at all about s. 
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We explain Shamir’s scheme which is based on Lagrange-interpolation over 
finite fields. We assume that all parties involved are semi-honest. 

We use the following version of Lagrange Interpolation. Let K he a (finite) 
field. Suppose we are given any t > 1 points (pi,qi), . . . in the plane 

K^, where the pi’s are all different. Then there is a unique polynomial f{X) G 
K[X] of degree smaller than t, that passes through these t points, i.e. /(pi) = 
= qt- 

First we discuss existence. For each 1 < i < t define the polynomial 
f ( X) = ~ Pj) 

Observe that each ft has degree exactly t — 1 and that fi{pi) = 1 whereas 

MPj) = 0 if j yf *• 

But then it follows immediately that the following polynomial / does the 
trick (Lagrange interpolation formula). 

f{X)= Y. q.-MX). 

l<i<t 

Note that f{X) has degree at most t — 1. Indeed, it can be strictly smaller than 
t- 1. 

As to uniqueness, note that if there were a polynomial f{X) G K[X] of 
degree smaller than t that agrees with / on all t points, then the polynomial 
f — f G K\X] has t zeroes while its degree is smaller than t. So f — f must 
be identical to the zero-polynomial, since it’s well known that any polynomial 
g G K[X] has at most degree(p) zeroes unless it’s the zero-polynomial. 

To set up Shamir’s secret sharing scheme, let K he a finite field with \K\ > n, 
where n is the number of agents. Let Pi, Pn be distinct, non-zero elements 
of K, and let these values serve as “names” for the n agents. Let 1 < t < n be 
the threshold. The secret-space in which the dealer codes the secret s is K. For 
each s G K, define II{t, s) as the set of all polynomials f{X) G K[X] such that 
degree(/) < t and /(O) = s. 

One can efficiently sample a random member from 7T(t, s) by setting the 
lowest-order coefficient to s and taking random elements from K for the remain- 
ing t — 1 coefficients. ’’ 

The field K, the threshold t, the names P\, . . . ,Pn and the protocol below are 
known to all players. We assume that for each agent, there is a separate private 
communication channel with the dealer (for instance one based on public key 
encryption) . 

— Distribution Phase: The dealer has a secret s G K, and selects a random 
polynomial f{X) G n{t,s) and sends Si = f{Pi) as share in s privately to 
player Pi, i = 1 . . .n. 

^ Note that this does not necessarily mean that one generates a polynomial of degree 
exactly t — 1, since 0 G A is also In the play. 
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— Reconstruction Phase: From collection of > t shares, the corresponding play- 
ers pool their shares and jointly reconstruct f{X) and compute /(O) = s. 

By Lagrange interpolation it is clear that reconstruction works as desired. 

As to privacy, consider an arbitrary subset V of the agents of size t — 1. 
Write V = {P{, . . . , Pl_i} C {Pi, . . . , Pn}, and write s[, . . . , s^_i for the shares 
/(P{),...,/(P/_i)ofW 

Observe that for each s' G K, the t points (0, s'), {P{,s[), . . . ,{P^_l,s'^_l) 
uniquely determine a polynomial f'{X) G n{t,s') that passes through all of 
them. 

So from the joint view of the players in V, each secret is equally likely (take 
into account that the dealer chose / at random, given s) and hence the shares 
held by V give no information about the real secret s. 

Note that since the joint view of any set of size t — 1 gives no information 
about the secret, the view of a smaller subset doesn’t give information about 
the secret either. This follows from the fact that a smaller subset holds even less 
information. 



11 Verifiable Secret Sharing 

In the presence of participants carrying out malicious attacks, there are two 
threats in Shamir’s scheme. 

— The dealer may send inconsistent shares, i.e. not all of them are simultane- 
ously on some polynomial of degree smaller than t. 

— At reconstruction, players may contribute false shares so that s yf s is re- 
constructed or nothing at all. 

Note that if the malicious players coordinate well, the honest players cannot 
in general distinguish between “good shares” and “bad shares”. Therefore, the 
honest players may not even be able to figure out who the malicious players are. 
In this section we explain methods to remedy this situation. 

11.1 Definition of Malicious Adversary 

Before we define verifiable secret sharing (VSS) to remedy these threats, we make 
the model more precise and introduce some terminology. Consider a dealer and 
n agents. A malicious adversary is allowed to corrupt the dealer and any single 
subset of the n agents of size smaller than t. All other players are honest. Later 
during the execution of a protocol ® the adversary is allowed to alter and control 
the behaviour of the corrupted players at his will, and even have them behave 

® In many multi-party computation protocols, the dealer will in fact at the same time 
also be one of the agents. In this case, there are in total n players involved, and 
the condition on the adversary is equivalent to saying that he is allowed to corrupt 
any single subset of size less than t of the n players, without distinguishing between 
dealer and agents. 
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in a coordinated fashion. In particular the adversary can make some corrupted 
players crash. For simplicity, we assume that the adversary makes the choice 
of which subset to corrupt before anything happened, i.e. before the start of a 
protocol. 

11.2 Definition of VSS 

The following informal definition is based on a formal definition of VSS from 
[50]. 

1. If the dealer is honest, then the distribution of a secret s always succeeds, 
and the corrupted players gain no information about s as a result of the 
distribution phase. At reconstruction, the honest players recover s. These 
properties hold regardless of the behaviour of the corrupted players. 

2. If the dealer is corrupt, then the following holds. Either the dealer is deemed 
corrupt by the honest players, and all of them abort the distribution phase. ® 
Else, the distribution phase is accepted by the honest players and some value 
s is uniquely fixed by the information held by the honest players as a result 
of the distribution phase. In the reconstruction phase, the honest players 
recover this value s. These properties hold regardless of the behaviour of the 
corrupted players. 

Note the absence of a secrecy condition in the corrupt dealer case: if the set of 
corrupted players includes the dealer, the adversary controlling them knows the 
secret. Therefore, it is only required that in this case the protocol is robust. The 
honest dealer case of course corresponds to what one would naturally require. 

11.3 VSS Scheme 

Here is a sketch of a generic construction of VSS based on a combination of 
Shamir’s secret sharing scheme, commitments and zero-knowledge interactive 
proofs. Let the threshold t for Shamir’s scheme satisfy t — 1 < nj2. 

Commitments We assume that we have a commitment scheme for committing 
to log \ K\ bits, for instance obtained as a parallel version of the commitments 
from Section 6.2 based on RSA or trapdoor one-way permutations. 

From a high level, a commitment protocol based on such primitives works 
as follows. There is a public, efficiently computable function “commit” whose 
description follows from the primitive chosen, and it takes as input a random m- 
bit string (for some m that will be clear from the primitive) and some log [ATj-bit 
string. 

To commit to a log j iFj-bit string x, one chooses a random m-bit string p and 
computes C = commit(x,p). Finally, one publishes C as a commitment. 

To open, one publishes x and p. The opening is verified by checking that 
commit(a::, p) = C. We call the string p the opening information of the commit- 
ment to X. 

^ Another possibility is that the honest players take some default set of shares. 
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Broadcast We now also assume that a primitive called broadcast is at the 
disposal of the participants. This is a mechanism by means of which any of 
the participants can make sure that a message he has for all players is received 
unaltered by the honest players, despite the possible presence of malicious adver- 
saries. Furthermore, we assume that recipients can establish who is the originator 
of the message. This mechanism may be realized by physical means or may be 
simulated by a protocol among the players. It suffices to know that it can be 
realized using digital signatures for instance. 



VSS Protocol Here is an informal overview of a VSS protocol due to [54] , which 
is also a nice illustration of the power of zero knowledge techniques and com- 
mitments. We assume that all players are restricted to probabilistic polynomial 
time computations. 

— Distribution Phase: The dealer has secret s € K, and computes shares 
si, . . . , s„ of s as in Shamir’s scheme. For i = 1 . . . n, he computes a com- 
mitment Ci to Si- After he has broadcast the commitments to all players, 
he proves in zero knowledge to all players Pi , . . . , that the commitments 
contain shares consistent with some secret. If this proof is accepted, he sends 
Si and the opening information for Ci privately to Pi, i = 1 . . . n. 

— Reconstruction Phase: As in Shamir’s scheme, except that each player Pi 
not only broadcasts his share Si, but also the opening information for Ci. 
For reconstruction of the secret s, the honest players only take those shares 
whose corresponding commitment is opened successfully. 

We briefly analyze this protocol. Regarding the zero knowledge proof of con- 
sistency, we assume that it proceeds in such a way that consistency holds if and 
only if the proof is accepted by all honest players (except with negligible error 
of course). 

There is a number of ways to achieve this, for instance by having each player 
separately and publicly (using the broadcast primitive) act as a verifier in a 
zero knowledge proof by the dealer, while all others verify whether the proof is 
accepting. Only if the dealer at some point returns a proof that is not accepting, 
the honest players accuse the dealer and abort. Note that if consistency does not 
hold, then with high probability the proof when verified by an honest player will 
fail. 

The actual consistency statement that the dealer has to prove, could take the 
following form: there exist s, oi, . . . , at_i € K, pi, . . . , € {0, 1}”* such that 

for i = 1 ... n, Ci = commit(s -|- ^Pi)- 

Such statements can be proved in zero knowledge by the methods of [53] , for 
instance. 

If the dealer is honest, the distribution phase definitely succeeds. Privacy 
follows from the hiding property of the commitments (the corrupted players are 
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polynomially bounded and hence cannot read the contents of commitments), the 
privacy of Shamir’s scheme, and the zero knowledge property of the proofs. 

Looking at the reconstruction phase, and assuming that the distribution 
phase was successful, we note that in the case of corrupt shares, the commitments 
cannot be successfully opened since this would contradict the binding property. 
Therefore, false shares are always found out and can henceforth be ignored by 
the honest players. In summary, the only malicious action the corrupt players 
can undertake is to refuse to participate in the reconstruction phase. But since 
there are at most t—1 corrupt players and since we assumed that the threshold 
t in Shamir’s scheme satisfies t — 1 < n/2, there are always t honest players 
to reconstruct the secret s. 



11.4 Other Work 

Particularly efficient VSS based on specific intractability assumptions (discrete 
logarithms) are presented in [42] and [67]. See also [28]. In a later section we 
discuss information theoretic VSS. 



12 GMW: Achieving Robustness 

With VSS in hand, the GMW protocol first has each player VSS each of his 
inputs before the n-player extension of protocol from Section 6.2 is executed 
(see Section 9). At the end of the protocol, each player applies VSS again, this 
time to the (additive) shares in the result of the computation. This requires 
additional zero knowledge proofs (in the same style as before) showing that 
these additive shares are indeed shared with VSS. 

If one of the players fails in this phase (or earlier) he is kicked out of the 
computation, and the remaining players back up to the beginning, reconstruct 
the failed player’s input, and do the protocol over again, this time simulating 
the failed player openly. Note that up to t — 1 corrupted parties are tolerated in 
this way. With a similar argument as in the case of VSS, this can be shown to 
be optimal. There are more efficient variants, see [57] for a full description and 
analysis of the GMW-result. 

The analysis [57] of the actual GMW-protocol is very complex and has to 
deal with many subtleties that have been suppressed in our informal overview. 

This argument can also be used to show that t — 1 < nj2 is optimal, i.e. it is not 
only sufficient but also necessary. 

We have made a number of simplifications for ease of exposition. For instance, we 
have neglected input independence.: in reality one must make sure that the corrupted 
parties choose their inputs to the computation independently from the inputs of the 
honest parties. This can be achieved by having all players commit to their inputs 
and having them give a zero knowledge proof of knowledge showing they can open 
these commitments. 
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13 Other Work 

Chaum, Damgaard and van de Graaf [23] present protocols where one of the 
players’ input is unconditionally protected. Kilian, Micali, and Ostrovsky [63] 
show how oblivious transfers can be used in zero knowledge protocols. Galil, 
Haber and Yung [48] achieve greater efficiency with their computation proto- 
cols. Recently, Gennaro, Rabin and Rabin [.52] presented particularly efficient 
protocols for the cryptographic model (see also [28]). 



Part III 

Information Theoretic Security 

14 Introduction 

In 1987, two independent papers by M. Ben-Or, S. Goldwasser and A. Wigderson 
[13], and D. Ghaum, G. Grepeau and I. Damgaard [24] achieved a new break- 
through in the theory of general multi-party computations. 

They demonstrated the existence of information theoretically secure general 
multi-party computation protocols. 

The price to be paid is a smaller tolerance with respect to the number of 
maliciously behaving players. Whereas [54] tolerates any malicious minority un- 
der the assumption that the players are computationally bounded, the protocols 
of [13] and [24] tolerate any malicious subset of size less than a third of the 
total number of players, with no assumptions on the computational power of the 
adversary. However, both papers argue that this is essentially the best one can 
achieve. 

A common feature of both papers is the use of Shamir’s secret sharing scheme, 
and the general paradigm of compiling a protocol secure against semi-honest 
players into one secure against malicious players by forcing all players to prove 
that they behave as semi-honest ones. However, [13] relies on techniques from the 
theory of error correcting codes, while [24] is based on distributed commitments 
and zero-knowledge. The result from [13] achieves perfect correctness, while [24] 
has a negligibly small error probability. 

14.1 Model 

We make the model of BGW [13] and GGD [24] a bit more precise. 
Communication : 

An interesting side-contribution of [24], seemingly often overlooked, is that it employs 
general zero knowledge techniques and information theoretically secure commitments 
in a distributed setting, showing that general zero knowledge makes sense (in a 
distributed setting) even if for instance NP = P. 
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— The n players are arranged in a complete (synchronous) network. 

~ Untappable private channels between each pair of players are available. 

Adversary. 

— The adversary is allowed to corrupt any single subset of size k of the players 
before the start of the protocol. 

— Exercising complete control over the corrupted players, the adversary is al- 
lowed to force the corrupted players into coordinated malicious attack on 
the protocol. 

Function : 

— Any efficiently computable function g with n inputs. 

14.2 Results of CCD and BGW 

There is a correct, private, robust polynomial time protocol evaluating g iff 
the adversary corrupts at most k < n/3 players. In the semi-honest case this is 
k < nj2. These bounds are optimal. 

14.3 Remark on Broadcast 

For security against malicious attacks, both results require the availability of a 
broadcast channel [64]. It is clearly not an option to use digital signatures in 
this case, since this does not fit with context of information theoretically secure 
protocols. 

However, broadcast among n players can be efficiently simulated even in the 
presence of at most f — 1 < n/3 malicious players (see for instance [43,49]). This 
bound is optimal. 

14.4 Outline of this Part 

Instead of explaining the techniques of [24] and [13], we will sketch proofs of their 
results based on recent developments in the theory of multi-party computation 
due to Gennaro, Rabin and Rabin [52] and Cramer, Damgard and Maurer [28]. 
We first treat the semi-honest case. 

15 Semi-Honest Case 

We show how n players can securely compute on shared secrets. More concretely, 
n players have shares in two secrets (according to Shamir’s secret sharing scheme) 
and they wish to compute from these, random shares in the sum or the product 
of these secrets. 

We first treat these two cases. Later we show how this allows the n players 
to compute an arbitrary function on shared secrets. 

Given a broadcast channel for free, a malicious minority can also be tolerated by the 
result of T. Rabin and M. Ben-Or [70,69] at the expense of a negligble correctness 



error. 
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15.1 Computing on Shared Secrets 

Constants, Addition Suppose there are n players holding shares of two secrets 
s and s', both resulting from Shamir’s secret sharing scheme, with parameters 
n and t. It is easy to see that shares for the sum s + s' are obtained when 
each player simply adds his shares of s and s'. Moreover, if the players later 
reconstruct s + s' from these new shares, no new information about s, s' is given 
away beyond what can be deduced from their sum s + s' . 

If the dealer used polynomials / and g to compute the shares of s and s' 
respectively, the new shares “look” as if the dealer had used the polynomial 
(/ + 9 ) to compute shares of s + s'. 

Similarly, for any constant c known to all players, they compute shares for 
c • s (respectively, c + s) by multiplying (respectively, adding) each share by c. 



Multiplication We explain a method introduced by R. Gennaro, T. Rabin and 
M. Rabin [.52]. Suppose there are n players holding shares of two secrets s and 
s', both resulting from Shamir’s secret sharing scheme, with parameters n and 
t. 

The goal of the players is to jointly compute on their shares such that as a 
result they hold shares in the product s • s', also resulting from Shamir’s secret 
sharing scheme with parameters n and t. Moreover, they require that these 
shares for s • s' are randomly generated, as if the (honest) dealer had not only 
distributed shares for s and s', but independently for s • s' as well. 

If we consider the joint view of any set of t — I players, we can observe that this 
randomness condition has the following effect. If s • s' is later reconstructed from 
the n shares of s • s', the shares revealed together with the complete information 
held by the t — 1 players, do not give information beyond ss' and what can be 
inferred from it. 

Unlike the case of addition, this is not trivial to solve. The first protocols for 
this task appeared in [24] and [13], but the solution of [52] we explain here is 
elegant and simple. 

Let / and g denote the polynomials used by the dealer. Let n denote the 
number of players (agents) and t the threshold. We assume that t — 1 < nj2. 

We have: /(O) = s and g(0) = s' and both polynomials are of degree less 
than t. For i = 1 . . .n, write Si = f{Pi) and s' = g{Pi) for player Pi’s shares in 
secrets s and s', respectively. 

We are interested in s-s'. Observe that the polynomial f-g satisfies {f-g){0) = 
s ■ s' and that it has degree at most 2t — 2 < n. Furthermore, for i = 1 . . .n, 
(/ • g){Pi) = Si ■ s'i, which is a value that player Pi can compute on his own. 

Therefore, by Lagrange interpolation and by our assumption t — 1 < n/2, the 
players at least hold enough information to define / • g uniquely. 

Now comes the interesting point. First, there exists a fixed linear combi- 
nation, whose coefficients ri,...,r„ € K only depend on the Pi’s, over the 
“product-shares” Si ■ s'i that yields s-s'. This is easy to see. By the Lagrange 
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interpolation formula we have 




So the values between brackets are the coefficients ri, . . . , r„, and all of these 
can be computed from public information. A simple but important fact for the 
analysis to follow is that at least t of these values are non-zero. For suppose 
without loss of generality that = . . . = r„ = 0. Then we have, for instance, 
(/ • 1)(0) = s = X)i<i<t-i where 1 denotes the polynomial 1 € AT[A]. 

This would mean that players P±, . . . , Pt-i can break Shamir’s secret sharing 
scheme, a contradiction. 

Of course the players don’t want to keep these product-shares as their 
shares in s • s'; first of all it changes the threshold, and second, these product- 
shares are by no means random shares of the secret s • s'. In fact, reconstruction 
could reveal more than just s • s' in the sense that it could also reveal information 
about s, s' individually. 

Therefore, they first re-share their product-shares: each player Pi acts as a 
dealer and distributes shares of his secret st ■ s'i to all players {Pt included for 
completeness), using the same parameters n and t and resulting in share Uij for 
player Pj, j = 1 .. .n. Write hi for the polynomial used by Pi. 

Consider the polynomial 



Pi has a share Vi in s • s' resulting from the polynomial h{X) of degree less than 
t. 

As to privacy, it is sufficient to note that from the point of view of any 
coalition of the players of size t — 1 or smaller, the polynomial h contains at 
least one hi contributed by a player outside the coalition, since at least t of the 
ri , . . . , are non-zero. 

15.2 Protocol for Semi-Honest Participants 

Based on the techniques for computing on shared secrets, we now present a 
general multi-party computation protocol (essentially due to [52]) secure if a 
semi-honest adversary has access to the complete information of at most t — 1 
players, where t — 1 < nj^. 

We assume that the function they wish to jointly compute is given as an 
arithmetic circuit over a finite field K with \K\ > n. Arithmetic circuits are 



h{X)= P-h,{X). 



l<i<n 



This has degree < t, and h{0) = Y.i<z<n ' ^*(0) = Y.i<i<n ’ ■5*®* = s ■ s' . 
Therefore, when each player Pi now computes 




l<j<n 
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similar to Boolean circuits (see Section 4), except that the computations take 
place over K instead of GF(2). This is no restriction: if we fix an arbitrary 
K, then any function that is efficiently computable is also computable by a 
polynomial size arithmetic circuit over K . These are the types of gates we require: 
two-input addition- and multiplication gates, and one-input gates for addition 
or multiplication with a constant. 

As in Section 4, the computation proceeds in a gate-by-gate manner, main- 
taining the invariant that at each point the players have random shares in the 
current intermediate results. 

When they have processed the final output gate, all players broadcast their 
shares in the result, and reconstruct it. 

Input Distribution Phase 

Using Shamir’s Secret Sharing Scheme, each player provides shares of his 
input to all players. 

Computation Phase 

If the current gate is addition, or addition/multiplication of a constant, they 
follow the steps from the first part of Section 15.1. If the current gate is 
multiplication, they follow the steps from the second part Section 15.1. 

Reconstruction Phase 

Each player broadcasts his share in the output, and all reconstruct the result. 

15.3 Optimality of the Bound 

Suppose there exists an integer n > 1 and a general n-party computation proto- 
col secure if more than a strict minority of the players conspire (semi-honestly), 
i.e. the number of tolerable conspirators would be at least n/2. This would 
immediately imply a protocol for two players to evaluate for instance the AND- 
function obliviously (each of the players would simulate a different half of the n 
players). By the same arguments as in Section 3.1, this is impossible and hence 
the t — 1 < n/2 bound is optimal. 



16 Dealing with Malicious Attacks 

We first show how to turn Shamir’s secret sharing scheme into a Verifiable Secret 
Sharing Scheme. Based on this, we construct distributed homomorphic commit- 
ments. Finally, we explain how to defend against malicious attacks in general 
multi-party computations. 

These results are taken from Cramer, Damgaard and Maurer [28] . 

16.1 Verifiable Secret Sharing Scheme 

Below we adopt a linear algebraic view on Shamir’s secret sharing scheme, that 
some may find less intuitive than the explanation based on polynomial interpo- 
lation (though technically speaking it is definitely as elementary). 
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Our reasons for doing so are two-fold. 

First, it opens the way to a verifiable secret sharing scheme that avoids the 
bi- variate polynomials and error correcting codes of [13]. 

Second, Brickell [18] points out how this linear algebraic view leads to a nat- 
ural extension to a wider class of secret sharing schemes that are not necessarily 
of the threshold type. This has later been generalized to all possible so-called 
monotone access structures Karchmer and Wigderson [61] based on a linear 
algebraic computational device called monotone span program. 

Cramer, Damgard and Maurer [28] extend these results of Karchmer and 
Wigderson, by introducing a method to transform monotone span program based 
secret sharing schemes (Shamir’s scheme is a particular instance) into verifiable 
secret sharing schemes. The enhancement is purely linear algebraic in nature and 
admits no analogous view based on polynomials. In fact, in the monotone span 
program model of [61], which deals with arbitrary monotone access structures 
and not just threshold ones, it is in general not possible to speak about poly- 
nomials. Therefore, one reaches further if one concentrates on the quintessential 
algebraic properties, instead of on the very specific language of polynomials. 

We will not present the general VSS result of [28] here, but rather the 
threshold-case which has some nice extras over the general construction, that 
are mentioned but not detailed in [28]. The presentation is self-contained and 
doesn’t require knowledge of [61]. 



Linear Algebraic View on Shamir’s Secret Sharing Let A be a finite field, 
let M be a matrix with n rows and t columns, and with entries from K . We say 
that M is an (n, t)-Vandermonde matrix (over K) if there are oi, . . . , G A, all 
distinct and non-zero, such that the i-th row of M is of the form (1, . . . , 

for i = 1 . . .n. Note that this implies that | A] > n. 

For an arbitrary matrix M over A with n rows labelled 1 . . . n, and for an 
arbitrary non-empty subset A of {1, . . . , n}, let Ma denote the matrix obtained 
by keeping only those rows i with isA. IfA = {i}, we write Mi. Similarly, for 
a vector s € A”, denotes those coordinates Si of s with i G A. 

Let MJ denote the transpose of Ma and let ImA/J denote the A-linear 
span of the rows of Ma. We use KerM^ to denote all linear combinations of the 
columns of Ma leading to 0, the kernel of Ma. 

It is well-known that any square (i.e. number of rows is equal to number of 
columns) Vandermonde matrix has a non-zero determinant. If M is an {n,t)~ 
Vandermonde matrix over A and A C {!,..., n}, then we conclude that the 
rank of Ma is maximal (i.e. is equal to t, or equivalently, ImMj = A*) if and 
only if |A| > t. 

This generalization has first been achieved by Ito, Nishizeki and Saito [60] and later 
by Benaloh and Leichter [11]. Both these results are based on elementary monotone 
formula complexity of the access structure ([60] is more restricted since it requires 
DNF formulae). However, the model of [61] is much more powerful iir terms of 
efficiency. See also [14]. 
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But more is true. Let e denote the column vector (1, 0, . . . , 0) S iCL If \A\ < t, 
then e ^ ImMj, i.e. there is no A € such that MJA = e. 

This can be seen as follows. Suppose without loss of generality that |^| = t—1 
and that there is such A. Consider the square matrix Na obtained from Ma by 
deleting the first column (that consists of t — 1 I’s). This matrix is “almost” a 
square Vandermonde matrix: it can be seen as a square Vandermonde matrix 
multiplied by a matrix that has zeroes everywhere, except that its diagonal 
consists of non-zero elements (in fact, ai’s with i G A). It follows that Na has a 
non-zero determinant. But then MJA = e implies iVjA = 0 and A ^ 0. This is 
impossible since Na is a square matrix with non-zero determinant. 

Therefore we can say 

e G IuiMa if and only if |A| > t. 

We need some more basic linear algebra. For vectors x,y G define the 

standard in-product (finite field case) as (x,y) = a;o?/o + - ■ ■ + We write 

xTy when (x, y) = 0 and x is said to be orthogonal to y, and vice-versa. For a 
7C-linear subspace V of K*, V-^ denotes the collection of elements of that are 
orthogonal to all of V (the orthogonal complement), which is again a iC-linear 
subspace. 

For all subspaces V of iC* we have V = (V-*-)-*-. This is an elementary fact 
that can be proved in a number of ways. Here we exploit the fact that K is finite. 

Say dim(V) = t', and choose any basis for V. Now x e if and only if 
(x, f) = 0 for all vectors f in the chosen basis. So if we arrange those basis 
vectors as the rows of a matrix M (it follows that V = ImM^), we have = 
(ImM^)-^ = KerM. The latter equality simply follows by inspection. 

By Gaussian Elimination (“sweeping”) on the rows of M, we can bring it of 
course into a form where the first F columns constitute the identity matrix. 

The rows of this new M are still a basis for V , and therefore the relationships 
above still hold. We count the number of x such that Mx = 0, i.e. we count 
|KerM|. From M’s form, it follows that for each selection of the last t — t' 
coordinates of x, there is a unique selection of its first t coordinates such that 
Mx = 0. Hence, = |KerM| = . Therefore, by applying this fact once 

more, |(V-*~)-*~| = \K\* . Since V C (V-*-)-^ from the definition, it now follows that 
V= (V-L)-L. 

By application of this fact, it now follows that ImMj = (KerM^)-*-, and we 
can conclude that 

e ^ ImMj if and only if there exists k G K* such that M^/« = 0 and ki = 1. 

Another simple identity is that (x, Mjy) = {Max,y) for all x,y of adequate 
dimensions. 

Now we can present and analyze Shamir’s scheme in an alternative fashion. 

Let there be n players, and let t be the threshold. Over a finite field K, let 
M be an (n, t)-Vandermonde matrix. 

Distribution Phase: Let s G K he the secret. The dealer chooses a vector b G K* 

by setting its first coordinate b\ to s, and selecting random elements from 
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K for the remaining coordinates. To player i he privately sends Si = Mih as 
share in s, for i = \ . .n. 

Reconstruction Phase: Let A C n} with |A| > t. From their joint in- 

formation, the players in A efficiently compute by elementary linear alge- 
bra A S KA\ such that MJA = e . Write Alh = s. Then s = (b,e) = 
(b, MJA ) = a ) = (sa, a ), which they can compute efficiently. 

It should be clear that reconstruction works as desired. Regarding privacy, 
let \A\ = t — 1, and consider the joint information held by the players in A, 
i.e. = M^b. Let s G K he arbitrary, and let k be such that Mah — 0 and 
Ki = 1. Then M^(b-|- (s — s)/«) = and the first coordinate of the argument is 
equal to s. This means that, from the point of view of the players in A, can 
be consistent with the secret s. 

The number of b G K* with 6i = s is clearly equal to |Ker(M^)| (which is 
independent of s), and the players in A have no information about s (take into 
account that all coordinates of b except possibly the first have been chosen at 
random) . 

Towards VSS Let t — 1 < u/3. A fact that is also exploited in [13] is that a 
complete set of shares s with at most f — 1 arbitrary errors still defines the secret 
s uniquely. 

Indeed, let ^ 1,^2 G AT” be arbitrary vectors with Hamming- weight at most 
t — 1. Let W C {1, . . . , n} denote the indices of the coordinates that are simul- 
taneously zero in both vectors. Note that \W\ > t. Consider Si = Mhi and 
S 2 = Mb 2 , and s~i = si -|- ^ 1 , and s ~2 = 82 + ^ 2 - Suppose that Si = § 2 . Then we 
have Mw(bi — b 2 ) = 0. But since \W\ > t, the first coordinate of the argument 
must be zero and hence b\ = 62 . 

Therefore, in principle and assuming that the dealer is honest, setting t — 
1 < n/3 guarantees robustness against players handing in false shares. However, 
efficiency is a problem (even when assuming an honest dealer): how to decode 
a “disturbed” set of shares s and recover the secret. In [13], efficient standard 
error correction techniques are applied to a version of Shamir’s scheme obtained 
by first passing to an extension field of K. 

We first explain how this can be avoided (for the moment we still assume an 
honest dealer). 

Consider the following variant of Shamir’s scheme. 

Distribution Phase: Let s G K he the secret. The dealer chooses a random 
symmetric matrix R G K*’*, subject to the condition that it has s in its 
upper left corner. For i = 1 . . .n, the dealer sends privately to player i the 
(row-)vector = MiR as share in s. Write b for the first column of R, then 
the first coordinate of is equal to Mih. This value is called player i's actual 
share in s. 

Reconstruction Phase: For i = l...n, each player i broadcasts his share s^. 
Consider the matrix C with n rows and n columns, whose entry in the f-th 
row and j-th column is 1 if and only if MjsJ = SjMf . Throw away all rows 
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of C that have t or more zeroes. There will be at least t rows left. For each 
of the rows i left, take the first coordinate of the corresponding as the 
actual share of player i. These at least t actual shares determine uniquely 
the secret s, according to Shamir’s secret sharing scheme as before. 

We first argue that the secret s is indeed efficiently reconstructed, assuming 
an honest dealer and at most t — 1 arbitrarily corrupt players. First note that 
for all i, {MiRy^ = RMf by symmetry of R. Hence, for all we have 

MjsJ = SjMj. 



From this we conclude that each player j holds a share MjsJ in player z’s 
actual share of s. Consider the case that a player i broadcasts a vector that 
differs from his share in the first coordinate (and possibly elsewhere as well), 
then for at most t — 1 of the real Sj’s we have MjsJ = SjMf , since obviously, two 
complete sets of shares in Shamir’s scheme (with parameters n, t) for different 
secrets can agree on at most t — 1 of the shares. But we also have to take into 
account that not only player i may be cheating, he may also coordinate with 
t — 2 other cheaters. Hence, an upperbound on the number of consistencies in 
this case is (t — 1) + (f — 1) = 2t — 2. Therefore, there are at least t inconsistencies 
in this case. 

On the other hand, if player i is honest then no matter how the corrupt 
players lie and cheat, they are going to cause at most t—1 inconsistencies in the 
i-th row of the consistency matrix C. Therefore, the procedure yields at least t 
good actual shares, sufficient for reconstructing s. Note that in the analysis we 
have only used the fact that the total information sb received by the set of the 
honest players B is of the form &b = MbR for some symmetric R. 

As to privacy we note the following. For vectors v = {vi, . . . ,Vt) € AT* and 
w = {wi, . . . ,Wt) S iF*, the standard tensor product (matrix form)v ® w is 
defined as a matrix with t rows and t columns such that the j-th column is equal 
to VjW. Note that v ® v is a symmetric matrix. Privacy is argued in a similar 
way as in the case of the linear algebraic explanation of Shamir’s scheme. Let 
|A| < t — 1, and let k satisfy Mah = 0 and ki = 1. Then k is symmetric, 
has 1 in its upper left corner and satisfies Ma{k 0 k) = 0. This is then used to 
show that for each possible secret, the number of symmetric matrices with that 
secret in its upper left corner and consistent with the joint information of A, is 
the same. 



Pairwise Checking Protocol We now drop the assumption that the dealer 
is honest, and build a “pair-wise checking protocol”, where each pair of players 
exchange checking information, around the scheme above to obtain VSS. The 
pair-wise checking as such is quite similar to methods from e.g. [13] and [43]. 

Let B denote the set of honest players, and let Sb he the total information 
received by B in the distribution phase. By the analysis of the honest dealer case 
above, we are done if Sb = MbR for some symmetric matrix R. 
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Suppose that some “pair-wise checking protocol” performed right after the 
dealer distributed the shares (as in the scheme above) would guarantee that 

MbS]^ = SsMg. 

We show that this is sufficient to conclude the existence of such R. Since certainly 
\B\ > t, we know that the span of the rows of Mb is all of K*. Hence there exists 
a matrix Nb such that M^Nb is equal to the identity matrix with t rows and t 
columns. Hence we have Mb{S]^Nb) = Sb, and we can take S^Nb as R. 

The following pairwise-checking protocol is appended to the distribution 
phase. 

1. Each player i sends to each player j the value Mjsf . Player j checks that this 
is equal to sjM^ (pairwise consistency check). In case of an inconsistency, 
player j broadcasts a complaint about the value received from player i. 

2. In response to complaints, the dealer must broadcast the correct value Mjsf 
for all complaints of players j about the values received from players i. 

3. If any player j finds that the information broadcast by the dealer is still in- 
consistent, it is clear to player j that the dealer is corrupt, and he broadcasts 
a request that the dealer makes public all the information sent to player j. 
This counts as claiming that the dealer is corrupt. These accusing players 
remain passive until a decision is made in the final step. 

4. The dealer must again broadcast all the requested information, and again 
this may result in some players accusing the dealer of being corrupt. This 
can repeat until the information broadcast by the dealer contradicts itself, 
or he has been accused by at least t players. Or else, no new complaints 
occur and the number of accusations is at most t — 1. The decision whether 
or not to accept the distribution phase is now taken as follows. In the first 
two cases, the dealer is deemed corrupt and is disqualified. In the last case, 
the distribution phase is accepted by the honest players. Accusing players 
accept the information broadcast for them as their shares. 

We analyze the protocol. First, we look at the honest dealer case. The corrupt 
players do not get more information than in the protocol above that assumes an 
honest dealer (note that no honest player will request the honest dealer to make 
public the information sent to him by the dealer, because if the honest player 
complains about some player, the honest dealer will always send the correct 
value) . 

Furthermore, the corrupt players can cause at most t — 1 accusations, and 
hence the distribution phase is always accepted by the honest players if the 
dealer is honest. 

Next, let’s drop the assumption that the dealer is honest and let’s assume that 
the distribution phase was accepted by the honest players. Then it is immediate 
that each honest player has a share that is consistent with the shares of all 
other honest players. Suppose that this is not the case. There must be at least 
one honest player that did not accuse the dealer (since there are at most t — 1 
accusations and at most t — 1 corrupted players, and 2t — 2 < n since t — 1 < 
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n/3). Clearly, the shares held by the set of non-accusing honest players (which 
is non-empty by the above) must be pair-wise consistent. All other shares of 
honest players are broadcast, so if there were any inconsistency, a non-accusing 
honest player would have accused the dealer, which is in contradiction with our 
assumptions. 

16.2 General Protocol Secure against Malicious Attacks 

Consider the protocol for the semi-honest case. We would like to enhance it so 
that the following invariant is maintained. At each point in the (once again) 
gate-by-gate multi-party computation, the current intermediate results (i.e. the 
values at the current gate as propagated through the circuit from the actual 
inputs) are secret shared (as in the semi-honest case) and moreover, each player 
is committed to his shares. 

Homomorphic Distributed Commitments Distributed commitments have 
similar binding and hiding properties as the commitments from Section 6.2, 
except that this time these properties hold unconditionally, i.e. regardless of the 
computing power of an adversary. Of course, this will be so only with respect to 
the adversary we have defined earlier, that corrupts less than n/3 of the players 
before the start of the protocol. 

Based on VSS, this is how it works. If player j wants to commit to s S AT, 
the n players execute the distribution phase of VSS, where player j acts as the 
dealer and takes s as the secret. To open the commitment, the n players execute 
the reconstruction phase of VSS. 

One can immediately see that given two distributed commitments to values s 
and s' respectively, a commitment to s-|-s' is non-interactively created by having 
all players locally take the sum of the information they hold (i.e. the VSS-shares 
in s and s'). 

Similarly, they can take a commitment and non-interactively multiply or add 
in a known constant. 

It is in this sense that we say that the commitments are homomorphic. To 
create a distributed commitment to ss' , is more involved and is explained later 
on. 

Maiutaiuiug the luvariaut Now think of the commitments from above as ab- 
stract, black-box homomorphic commitments, and forget for the moment how we 
actually constructed them. Suppose the dealer in Shamir’s scheme first commits 
to the secret s and the random choices pi, . . . , pt-i- Then, by the homomorphic 
properties of the commitments and the fact that the shares in Shamir’s scheme 
are linear combinations (with fixed public coefficients!) of the secret and the 
Pi’s, the players can compute new commitments to these n shares by just doing 
local computations. This guarantees that the dealer is committed to consistent 
shares, i.e. the shares results from a correct (not necessarily random, but this 
is no problem) execution of the distribution phase of the secret sharing scheme. 
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The only thing the dealer now has to do, is to send privately to each player the 
share he is entitled to and the “opening information” of the commitment to this 
share so that now the receiving player is committed to his share and can open 
it himself. We call this Commitment Sharing Protocol (CSP) 

In the Input Distribution Phase of the general protocol, all players will secret 
share their inputs to the computation in the way we have just described. 

In the Computation Phase, if the current gate is addition, or multiplication 
by a constant, the procedure is trivial by the homomorphic properties of com- 
mitments and Shamir’s secret sharing scheme. The only real difficulty left is 
handling multiplication gates, which we will study separately. 

In the Output Reconstruction Phase, each player merely opens the commit- 
ment to his share in the final result of the computation. Each player collects 
enough correct shares to reconstruct the result (output) of the computation. 



Linear Secret Sharing Schemes We now set out to handle the multiplication 
gates. But first it is convenient to further explore our linear algebraic view. 

Shamir’s secret sharing scheme is a linear scheme in the sense that each share 
is a linear combination (with fixed, public constants) of the secret and random 
choices made by the dealer. 

It is possible to take this point of view as the starting point for a class of 
secret sharing schemes [18,14,61]: general linear secret sharing schemes. 

There are n players, and there is a public matrix M with d rows and e 
columns, in which each row is assigned to one of the players. Abstractly speaking, 
each of the d rows of M is labeled with exactly one element from {1, . . . , n}, and 
we allow that some (or all) labels occur more than once. Write if) for the function 
that associates a row with a player. For Ac {1, ■ . . ,n}, let Ma denote those 
rows of M that are labeled with an element from the set A. If A = {i}, we write 
M,. 

To compute shares of a secret, the dealer chooses a vector b at random 
subject to the condition that the secret is in the first coordinate of the vector, 
and for i = 1 . . .n sends the vector = M^b as share in s privately to player i. 

In Shamir’s scheme this matrix corresponds of course to the Vandermonde 
matrix, and each player is associated with exactly one row. 

Recall from the linear algebra proof of Shamir’s scheme that exactly those 
subsets of the players can reconstruct the secret, whose matrix (i.e. the submatrix 
that contains the rows associated with the subset) has e in its AT-linear span of 
the rows. Other subsets have no information about the secret. 

It can be shown by similar arguments as the ones used in the linear algebra 
proof of Shamir’s scheme, that in the general linear scheme as defined above, 
exactly those subsets A can reconstruct the secret for which e is in the AT-linear 
span of the rows of Ma- Other subsets have no information. 

The opening information for a share consists basically of all data needed to construct 
the commitment. It’s easy to see that the dealer in fact has the required information. 
In reality, the process we describe needs to be augmented with a complain/satisfy 
procedure, like in VSS. This procedure is fairly straightforward in this case. 
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Now in general, the subsets that can reconstruct are not exactly all subsets 
of a certain cardinality. One can show that for any monotone access structure 
r, i.e. a collection of subsets of the n players with the property that if ^ is a 
member of F than any set containing ^ is in O as well, there is a linear secret 
sharing scheme such that the subsets that can reconstruct the secret are exactly 
the members of F. Again, other subsets have no information. 

Let e denote the vector (1,0,.. .,0) G AT®. It is not hard to show that the 
subsets A that can reconstruct the secret are exactly those for which e G ImMj. 
The players in such a set A jointly recover a secret s by computing s = (s^, A), 
where MJA = e, and Syi are the shares held by A, i.e. = M^b. 

The quadruple A4 = {K, M, e, tjj) is called monotone span program [61]. This 
powerful device is said to compute an access structure F (or equivalently, a 
monotone Boolean function) if and only if it is the case that e G ImMj exactly 
when A is a member of F. 

We will also call the sets in this correponding access structure the sets “ac- 
cepted” by A4. A set that is not accepted, is called “rejected”. 

So each linear secret sharing scheme can be viewed as derived from a mono- 
tone span program computing its access structure. 

We now return to the multiplication protocol. Let M be a (n, t)-Vandermonde 
matrix over K with t — 1 < n/2. For vectors s, s' G iL", define their star-product 

s*s' = (sisi,...,s„s(,) G K^. 

For vectors x,y G AT*, define their tensor product (this time a vector instead of 
a matrix) 

X 0 y = {xiyi , . . . , xiyt , . . . , Xtyi , . . . , Xtyt) G AT* . 

For a matrix M, let denote M except that each row v of M is replaced by 

V 0 V. 

Another way to view the multiplication protocol from Section 15.1 for 
Shamir’s scheme is by saying that there exists a fixed vector r G AT", which 
we call recombination vector, such that for all b,b' G A'*, with respective first 
coordinates s, s' G AT, we have 

(r, s * s') = ss' , 

where s = Afb and s' = Afb'. 

Call this the multiplication-property of the secret sharing scheme. The exis- 
tence of the vector r follows for instance from the analysis in Section 15.1, as 
well as a method for efficiently computing it. From the analysis it also follows 
that Shamir’s scheme has the multiplication property if and only if f — 1 < n/2. 

In the case of defense against malicious attacks in the multiplication protocol 
for Shamir’s scheme and for reasons to become clear shortly, we need additionally 
that for all B C {1, . . . , n} with \B\ > n — t -\- 1 there exists a fixed vector r 
(depending on B) such that 

(r,ss * s'g) = ss', 

these sets of course correspond to the potentially honest sets rather than the poten- 
tially corrupt sets of size at most t — 1 
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where sb = M^b and are arbitrary. 

Call this the strong multiplication-property of the secret sharing scheme, and 
call r the recombination vector for the set B. 

Note that if the strong multiplication-property is satisfied, then certainly also 
the multiplication-property is satisfied: just take B = {1, . . . , n}. 

We can also say that strong multiplication is satisfied exactly when for each 
B with at least n — t -\-l elements, Mb has multiplication. 

If we now set t— 1 < n/3, then we see that for all B with n-t-\-l elements, 
Mb is an {n -t-\-l, t)- Vandermonde matrix ( “t out-of n — t -I- 1” ) and also that 
t — 1 < {n — t l)/2. If i? has even more elements, this clearly holds as well. 
Therefore, strong multiplication is satisfied by the way we set the parameter t. 

It will be helpful to further extend the linear algebraic view. Note that the 
definition of the multiplication-property makes no reference to Shamir’s secret 
sharing or threshold access structures. We could require this property of a general 
linear secret sharing scheme. In fact, this is exactly the definition of monotone 
span programs with multiplication from [28] . For strong multiplication, the only 
change in the definition we make is to say that the property holds for all sets B 
that are the complement of a set that is rejected by the monotone span program 
(i.e. complements of sets that are not in the access structure). 

It is proved in [28] that M. = (/f, M, e, '0) is a monotone span program 
with multiplication if and only if 

e (g) e e ItbM^. 

Any vector r with e (g) e = M'^y is a recombination vector. 

As to strong multiplication, let Ads be the monotone span program obtained 
by throwing away the rows corresponding to the complement B oi& rejected set. 
Then it follows immediately that M. has strong multiplication if and only if for 
all such B, M-b has multiplication. 

We are now ready to state the properties we use in the explanation of defense 
against malicious attacks to follow. Now let Ad be a monotone span program 
with multiplication. We can now consider the linear secret sharing scheme based 
on Adigi = (AT, M 0 ,e(g e.'ij)) and conclude that the set {!,..., n} is accepted 
by Ad®. Hence, if the n players receive a complete set of shares M®c, they can 
recover the secret, which is c’s first coordinate. This follows from the observations 
about the connection between general linear secret sharing and monotone span 
programs above. 

If Ad has strong multiplication, this is true for each subset B, whose comple- 
ment is rejected by Ad . This fact and the following technicality (which is proved 
directly from the definitions) are useful in what follows. 

For any monotone span program Ad, and for all b and b', we have 

s * s' = M®(b (g) b'). 



where s = Mh and s' = Alh' . 



18 



This follows from the definition and the uniqueness of algebraic normal form. 
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The Commitment Multiplication Protocol The situation is as follows. 
There are two values s and s' , and each of the n players is committed to his 
shares in s and s' . 

We’d like to have a protocol by means of which the same can be enforced on 
ss'. 

Of course the protocol from Section 15.1 comes in handy, but we will have 
to enhance it. 

Let A4 = {K, M, e,tjj) be the monotone span program underlying Shamir’s 
secret sharing scheme with t — 1 < n/3. 

Consider player i right before he re-shares in Section 15.1, where Si and 
s' are his shares in s and s' , respectively. In the current context we may assume 
that he is already committed to Si and s' separately. 

It is sufficient for our purposes here if player i could create a commitment 
to Si s' and convince the rest of the players that this is indeed a commitment to 

SjSi. 

Indeed, suppose we had such a method, then for re-sharing we would do as in 
Section 15.1 and additionally have each player i commit to his local product s^s', 
prove that the resulting commitment contains indeed s^s', commit to randomness 
needed for the basic Shamir’s secret sharing, have all players compute non- 
interactively commitments to the shares, and have player i finally send their 
shares privately, plus the information needed to open the commitments their 
respective shares, just as in the CSP-protocol. After each player i has done so, 
they can compute their own shares in ss', commitments to all shares and opening 
information for the commitments to their own shares, using the recombination 
vector r. 

How can player i prove that a given commitment contains the product of the 
contents of two other given commitments? 

We assume that t — 1 < nj’i. Let M be an (n, t)-Vandermonde matrix. Then 
M. = (AT, M, e, tfj) is with strong multiplication and ip just associates the j-th 
row of M with the j-th player, j = 1 . . . , n. 

First, player i selects b at random such that bi = Si and b' at random 
such that b'l = s'. Next, he commits to all random coefficients of b and b' 
(commitments to Si and s' are already available, by assumption). Then all players 
compute, non-interactively, commitments to the individual shares resulting from 
u = Mb and u' = Mh' . Finally, player i sends shares Uj and u' privately to 
player j, j = 1 . . . , n. So this is as the CSP-protocol, except that at this point it is 
not necessary to provide the opening information of the respective commitments. 

Player i proceeds by committing to s^s', and to each of the coordinates 
of b 0 b'. The players now compute non-interactively commitments to the n 
coordinates v = (m, . . . ,u„) of M,gi(b 0 b'). 

Note that if player i indeed committed to the correct value s^s', for each j 
we must now have Uju'^ = Vj, since u * u' = M,^{h (g) b'). 

In any case, there is a vector c such that v = M^c. Write u*u' = w. Consider 
the set B, defined as the complement of the set of players that the adversary 
actually corrupted (i.e. B consists of the honest players). Note that |i?| > n—t+1. 
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Since u*u' = M 0 (b(g)b') and since A4 has strong multiplication, B is accepted 
by AI® and the set of shares wb for B defines uniquely. Likewise, vg defines 
a secret (i.e. c’s first coordinate ci) uniquely. 

Therefore, if ci yf s^s', there must be a j S B such that player j holds 
different shares for Ci and Sis': if not, the reconstruction procedure for B (in the 
secret sharing scheme derived from A4^) applied to wb and vg would yield the 
same secrets. 

Therefore, if player i did not commit to there is at least one honest 
player j that will notice an inconsistency and is going to complain. Upon that 
complaint, player i must open the commitments to Uju'j and vj so that all honest 
players conclude that player i is corrupt. 

On the other hand, if player i is honest, then there are at most t — 1 such 
complaints from the corrupted players, and each of them will not convince any 
honest player, since opening the commitments will show that the complaining 
player is corrupt rather than player i. Moreover, the information that becomes 
available in the course of handling these complaints, does not yield any new 
information (from the point of view of the corrupted players) about Sis(. 



16.3 Extensions 

The protocol above and its analysis are a special case of [28]. In fact, the basic 
framework behind it also works for any adversary that can be captured by a 
monotone span program with (strong) multiplication. 

However a lot of things have to be settled first. The VSS protocol we described 
is an optimization for the threshold case of the general VSS scheme from [28]. 
That scheme is based on arbitrary monotone span programs and we cannot in 
general assume as in the threshold case here, that the matrix corresponding 
to the honest players has maximal rank (this is essential in the analysis of the 
threshold VSS). However, one can show that the protocol, although in general not 
a VSS, is still a distributed commitment scheme. Based on these commitments, 
one can indeed construct VSS based on arbitrary monotone span programs. 

Moreover, [28] provides a theory of monotone span programs with (strong) 
multiplication that shows that exactly those general (not necessarily thresh- 
old) adversaries are captured for which [-59] demonstrates that secure computa- 
tion tolerating them is possible at all. Therefore, the theory is complete. Upper 
bounds on the complexity of monotone span programs with (strong) multipli- 

We have not tried to optimize its efficiency, and we have been not very explicit about 
how to handle situations where players are found out to be corrupt. In any case, it 
is always possible to back-up to the beginning, and recover the inputs of corrupted 
players, after which the protocol is done over again with the corrupted players openly 
being simulated. There are other options which we do not discuss here. 

Loosely speaking, this requires a monotone span program with (strong) multiplica- 
tion that rejects the sets in the adversary structure: a pre-determined collection of 
subsets of the players, out of which the actual adversary may pick an element and 
corrupt all the players in it. 
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cation are given as well, that show significant improvements over previous 
approaches (similarly for VSS, but not requiring multiplication properties). 

A remark about broadcast is in place. In case of general adverarsaries, in- 
formation theoretically secure broadcasts protocols defending against threshold 
adversaries are in general not sufficient. Therefore, [28] uses the result of [45]. 

Also, the techniques extend to the model of [70], where broadcast is assumed 
(and cannot be simulated information theoretically) and an exponentially small 
error is tolerated (see also [30]). This is non-trivial, and we omit any of the 
details. 

17 Other Work 

We provide some suggestions for further reading (besides those references already 
given). This list is by no means complete and selection has been quite ad-hoc 
(This holds as well for the results covered in detail in this paper, with the 
exception of the classical results) . 

Adaptive adversaries, i.e. adversaries who do not necessarily select their vic- 
itms before the start of the protocol but rather adaptively as the protocol is 
proceeding, are dealt with in [8] [20] . 

In [2] it is shown how general multi-party computations can be performed 
with polynomial complexity and a constant number of rounds of interaction, pro- 
vided that the function to be evaluated is given as a polynomial size arithmetic 
formula (instead of circuit). Efficiency considerations (also using pre-processing) 
are discussed in [5,6]. 

This issue of a corrupt majority is studied in [3]. 

Secure multi-party computation in an asynchronous communication model 
is addressed in [12]. 

Loosely speaking, a proactively secure protocol is one secure against an at- 
tacker who in principle can corrupt an arbitrary number of players in the life-time 
of a system, except that in each time-frame less than, say, half of the players are 
corrupted and a majority is honest [66,46]. 

For lots of references and detailed explanations of some fundamental results, 
see for instance [47] and [19]. 

Regarding multi-party computation protocols for electronic cash or electronic 
voting, see for instance [22], [26], [32] and [31]. 

Threshold cryptography, i.e. efficient and secure distributed computation for 
specific functions was introduced in [39]. See for instance, [38], [51] and [68] for 
distributed RSA-protocols. 

Recently, in a revision of [28], the authors have proved that for all relevant functions 
/ (i.e. Q2-functions), if a monotone span program of size m is given that computes 
such a function /, then there exists a monotone span program with multiplication 
that computes / as well and has size 0{m). Note that the novelty is in the last 
part of the claim. This implies, in a well-defined sense, that linear secret sharing 
is “sufficient” for general secure multi-party computation, where both existence and 
efficiency are taken into account. 
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Abstract. This article is an introduction to two fundamental primi- 
tives in cryptographic protocol theory: commitment schemes and zero- 
knowledge protocols, and a survey of some new and old results on their 
existence and the connection between them. 



1 What’s in this Article? 

This article contains an introduction to two fundamental primitives in cryp- 
tographic protocol theory: commitment schemes and zero-knowledge protocols. 
We also survey some new and old results on their existence and the connection 
between them. Finally, some open research problems are pointed out. 

Each of the two main sections (on commitments, resp. zero-knowledge) con- 
tain its own introduction. These can be read independently of each other. But 
you are well advised to study the technical sections on commitment schemes 
before going beyond the introduction to zero-knowledge. 

The reader is assumed to have some basic knowledge about cryptography and 
mathematics, in particular public key cryptography and the algebra underlying 
the RSA and discrete log based public key systems. Concepts such as groups 
and homomorphisms will be used without further introduction. 

2 Commitment Schemes 

2.1 Introduction 

The notion of commitment is at the heart of almost any construction of modern 
cryptographic protocols. In this context, making a commitment simply means 
that a player in a protocol is able to choose a value from some (finite) set and 
commit to his choice such that he can no longer change his mind. He does not 
however, have to reveal his choice - although he may choose to do so at some 
later time. 

As an informal example, consider the following game between two players P 
and V: 

1. P wants to commit to a bit b. To do so, he writes down 6 on a piece of paper, 
puts it in a box, and locks it using a padlock. 
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2. P gives the box to V 

3. If P wants to, he can later open the commitment by giving V the key to the 
padlock. 

There are two basic properties of this game, which are essential to any com- 
mitment scheme: 

— Having given away the box, P cannot anymore change what is inside. Hence, 
when the box is opened, we know that what is revealed really was the choice 
that P committed to originally. This is usually called the binding property. 

— When V receives the box, he cannot tell what is inside before P decides to 
give him the key. This is usually called the hiding property 

There are many ways of realizing this basic functionality, some are based on 
physical processes, e.g. noisy channels or quantum mechanics, while others are 
based on distributing information between many players connected by a network. 
We will say a bit more about this later, but for now we will concentrate on the 
scenario that seems to be the most obvious one for computer communication: 
commitments that can be realized using digital communication between two 
players. 

As a very simple example of this kind of commitments, consider the case 
where P has a pair of RSA keys, where V (like anyone else) knows the public 
key with modulus n and public exponent e. To commit to a bit b, P can build 
a number Xb, which is randomly chosen modulo n, such that its least significant 
bit is b. Then he sends the encryption C = mod n to V . We do not prove 
anything formal about this scheme here, although that is in fact possible. But it 
should be intuitively clear that P is stuck with his choice of b since the encryption 
C determines all of Xb uniquely, and that V will have a hard time figuring out 
what b is, if he cannot break RSA. Thus, at least intuitively, the binding and 
hiding requirements are satisfied. 

Why should we be interested in building such commitment schemes? Primar- 
ily because this simple functionality enables the construction of secure protocols 
that accomplish surprisingly complicated, even seemingly impossible tasks. We 
will see some examples of this in the section on zero-knowledge. But we can al- 
ready now give an example of a simple problem that seems intractable without 
commitment schemes, namely coin flipping by telephone. 

The following story was introduced by Manuel Blum: suppose our old friends 
Alice and Bob are getting a divorce. They are at the point where they cannot 
even stand facing each other, so they have to discuss over the phone how to split 
the furniture, the kids, etc. But one problem remains: who gets the car? Since 
they cannot agree, they decide to flip a coin. However, they quickly realize that 
this is easier said than done in this situation where of course they don’t trust each 
other at all. Bob would not be very happy about a protocol where he announces 
HEADS, only to hear Alice reply on the phone: “Here goes. ..I’m flipping the 
coin.... You lost!”. How can we solve this? Well, certainly not by asking Alice 
to flip the coin and announce the result to Bob before he has chosen heads or 
tails; Alice would be just as unhappy as Bob was before. We seem to be in a 
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deadlock - neither party wants to go first in announcing their choice. However, 
this deadlock can be broken: using a commitment scheme, we get the following 
simple protocol: 

1. Alice commits to a random bit 6 a, and sends the resulting commitment C 
to Bob (you can think of C as being a locked box or an encryption, as you 
wish) . 

2. Bob chooses a random bit bs and sends it to Alice. 

3. Alice opens C to let Bob learn Ba, and both parties compute the result, 
which is 6 = 6 a 0 6_b. 

It is not hard to argue intuitively that if the commitment is binding and 
hiding, then if at least one of Alice and Bob play honestly and chooses a bit 
randomly, then the result is random, no matter how the other party plays. A 
formal proof requires a more precise definition of commitments, which we will 
get to in the next section. 

2.2 Defining Commitment Schemes 

Two things are essential in the RSA example: 

— The RSA key used does not come falling from the sky. There has to be an 
algorithm for generating it: some procedure that takes as input the length 
of modulus to generate, and then chooses randomly n and e, suitable for 
use as an RSA public key. In the example this algorithm would be run by 
P initially, and P must have some confidence that keys generated by this 
algorithm cannot be easily broken by V. 

— When committing, it is essential that P makes random choices. The scheme 
above (in fact any scheme) would be completely insecure, if this was not the 
case (can you see why?). Thus the commitment sent to V must be a function 
of both the bit committed to, and of some random choices made by P. 

Keeping this in mind, we can abstract the following general definition. It is 
somewhat simplified in that it does not cover all commitment schemes, but it 
covers the examples we will look at, and is enough to get a feeling for how such 
definitions work. 

We will think of a commitment scheme as being defined by a a probabilistic 
polynomial time algorithm Q called a generator. It takes as input I* where I is a 
security parameter and corresponds to e.g. the length of RSA modulus we want. 
It outputs a description of a function commit : {0, 1} ^ X {0,1} ^ {0,1}^ where 
the idea is that a 0/ 1-values can be committed to. We stick to 6if-commitments 
here for simplicity. We refer to the description of commit as the public key of the 
commitment scheme. 

To use the scheme in practice, one first executes a set-up phase (once and 
for all) where either P or V runs Q, and sends a description of the resulting 
function commit to the other party. In some schemes it is necessary in addition 
to convince the other party that commit was correctly chosen, in case this is not 
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easy to verify from the description itself. Thus, one of the parties may reject in 
the set-up phase, meaning that it refuses to use the public key it received. 

Assuming that the public key was accepted, to commit to a bit b, P chooses 
r at random from {0,1}* and computes the commitment C <— commit(r, 6). To 
open a commitment, r, b are revealed, and V checks that indeed C = commit(r, b). 

To define precisely the two essential properties of hiding and binding for this 
kind of commitment, we need to first define what it means for an entity, typi- 
cally a probability, to be negligible - “too small to matter” . There are different 
ways in which one can define what negligible means, from the point of view of a 
practical application, one might want to say that anything occurring with prob- 
ability below a concrete bound, such as is negligible. In complexity based 

cryptography, one usually prefers an asymptotic definition: e(l) is negligible in I 
if for any polynomial p, e(Z) < l/p(^) for all large enough 1. One motivation for 
this is that if we perform repeatedly an experiment in which a particular event 
occurs with negligible probability in I, then the expected number of repetitions 
before seeing an occurrence is superpolynomial in 1. In this sense we can say 
that events that occur with negligible probability occur so seldom that polyno- 
mial time algorithms will never see them happening. We then have the following 
definitions: 

— The binding property comes in two flavors. 

unconditional binding: Means that even with infinite computing power, 
P cannot change his mind after committing. In this case, P will run the 
generator and send the function commit to V . We require that if commit 
is correctly generated, then b is uniquely determined from commit(r, &), 
and that an honest V accepts an incorrectly generated commit with at 
most negligible probability. 

computational binding: Means that unless you have “very large” com- 
puting resources, then you chances of being able to change your mind 
are very small. In this case, V will run the generator, so we can define it 
precisely as follows: take any probabilistic polynomial time algorithm P* 
which takes as input a public key produced by the generator Q on input 
1*. Let e{l) be the probability (over the random choices of Q and P*) 
with which the algorithm outputs a commitment and two valid openings 
revealing distinct values. That is, it outputs C, b, r, b' , r' such that b ^b' 
and commit(r, &) = C = commit(r', 6'). Then e(l) is negligible in 1. 

— The hiding property also comes in two flavors: 

unconditional hiding: Means that a commitment to b reveals (almost) no 
information about b, even to an infinitely powerful V . In this case V will 
run the generator and send the function commit to P. We require that if 
commit is correctly generated, then the distributions of commit(r, 0) and 
commit(s, 1) for random r, s are almost the same, meaning that one can 
be changed into the other by moving a negligible amount of probability 
mass. Furthermore an honest P should accept an incorrectly generated 
commit with at most negligible probability. In the best possible case, a 
commitment commit(r, b) has distribution independent of 6, and P never 
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accepts a bad commit function, i.e. commitments reveal no information 
whatsoever about the committed values. We then speak of perfectly hid- 
ing commitments. 

computational hiding-. Means that a polynomially bounded V will have a 
hard time guessing what is inside a commitment. In this case, P will run 
the generator. A precise definition: consider any probabilistic polynomial 
time algorithm which takes as input a public key produced by the G on 
input 1*, and a commitment commit(r, 6), where 6 is 0 or 1, and outputs 
a bit. Let £{,(/) be the probability that 0 is produced as output when 
the commiment contained b. Then |eo(0 ~ £i(OI is negligible in 1. This 
definition says that an adversary will not be able to tell efficiently which 
of the two given values is in a commitment, with probability much better 
than just guessing at random. 

Before we continue, a word of warning about the definitions of the computa- 
tional flavors of hiding and binding: They are based on the asymptotic behavior 
of an adversary as we increase the value of the security parameter. This is math- 
ematically convenient when doing proofs, and has nice connections to standard 
complexity theory - but one should take care when evaluating the meaning in 
practice of results according to such a definition: it implicitly classifies every- 
thing that can be solved in probabilistic polynomial time as being “easy” and 
anything else as being “hard”, and this distinction is not always accurate in 
real life. Even if a problem (such as breaking a commitment scheme) is asymp- 
totically hard, it might still be easy in practice for those input sizes we want 
in a particular application. This does not at all mean that asymptotic security 
results are worthless, only that usage of a scheme in real life should always be 
supplemented with an analysis of practical state of the art of solutions to the 
(supposedly) hard problem we base ourselves on. 

In any case, it is evident that the computational versions of the properties are 
more complicated to define than the unconditional ones. And since furthermore 
an unconditional guarantee is of course better, why don’t we just build commit- 
ments that are both unconditionally binding and hiding? Well, unfortunately 
this is impossible! 

Imagine we had such a scheme. Then, when P sends a commitment to e.g. 0 
C = commit(r, 0), there must exist an r' , such that C = commit(r', I). If not, V 
could conclude that the committed value could not be 1, violating unconditional 
hiding. But then, if P has unlimited computing power, he can find r' and change 
his mind from 0 to 1, violating unconditional binding. This reasoning does not 
depend on the particular definition we have presented of commitment schemes. 
It extends to any protocol whatsoever for committing to a value in a two-player 
game. The basic reason for this is that the scenario by definition ensures that 
each player sees everything the other player sends. 

There are several scenarios, however, where this reasoning does not apply. In a 
distributed scenario with many players, or in a two-party case where communica- 
tion is noisy, it is no longer true that V sees exactly what P sends and vice versa. 
And in such cases, unconditional binding and hiding can in fact be obtained si- 
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multaneously. For commitment schemes in such scenarios, see e.g. [10,3,14,9]. 
Note, however, that despite the fact that the reasoning does not apply to quan- 
tum communication either, bit commitment with unconditional security is not 
possible with quantum communication alone. More about his can be found in 
the article by Sal vail in this volume. 

2.3 Examples of Commitment Schemes 

Many examples of commitment schemes have been suggested in the literature, 
see e.g. [4] for some basic ones or [11] for some later and more efficient examples. 

Above, we have seen an example based on RSA with unconditional binding. 
This scheme also satisfies computational hiding, assuming that the RSA encryp- 
tion function is hard to invert, although this is quite technically complicated to 
prove. It does not follow immediately, since a priori it might well be the case 
that the least significant bit of x is easy to compute from mod n, even though 
all of X is hard to find. However in [1] it was proved that this is not the case: 
any algorithm that guesses the least siginificant bit of x with probability slightly 
better than 1/2 can, by a randomized polynomial time reduction, be turned into 
one that inverts the RSA encryption function. 

We now look at a general way to make commitment schemes with uncon- 
ditional hiding. It turns out that such schemes can be constructed if we can 
efficiently generate group homomorphisms that are 1-way functions, i.e. they 
are easy to compute but hard to invert. A precise definition: 

Definition 1 A Group Homomorphism Generator Ti. is a probabilistic polyno- 
mial time algorithm which on input 1^ outputs a description of two finite Abelian 
groups G,H and a homomorphism f : H G. Elements in G,H can be repre- 
sented as l-bit strings, and the group operation and inverses in G and H can be 
computed in polynomial time. Finally, a uniformly chosen element in H can be 
selected in probabilistic polynomial time. 

Ti. is said to be one-way if in addition the following holds for any probabilistic 
polynomial time algorithm A: on input f,y, where f is selected by "H on input 1* 
and y is uniformly chosen in Im{f), the probability that A outputs x G H such 
that f{x) = y is negligible. 

As an example, consider any algorithm for generating a secure RSA modulus 
n. We can extend this to a homomorphism generator by choosing also a prime 
q > n, letting G = H = Z*, the multiplicative group modulo n, and finally 
defining f{x) = x^ mod n. Assuming that RSA with modulus n and public 
exponent q is hard to invert, this clearly satisfies the requirements (recall that in 
general, / is a homomorphism, if /(I) = 1 and f{xy) = f{x)f{y)). Note that q, 
being larger than n, must be prime to 4>{n) and so one can directly check from 
a description of / that it is surjective. 

We can also base a generator on the discrete log problem. In this case, / 
would be of the form f{x) = g^ mod p for a large prime p. We leave the details 
to the reader. 
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Given a generator as defined above, we define an unconditionally hiding 
scheme as follows. We assume for simplicity that given y, one can directly check 
if y S Im{f). This is trivially true of the RSA implementation above. 

— Set-up Phase: the generator Q for the commitment scheme is defined based 
on the group homorphism generator Ti as follows: it runs Ti on input It 
then chooses a random element x G G and outputs /, G, H and y = f{x). In 
the set-up phase, V runs G and sends the output /, G, iJ, y to P, who checks 
that y G Im{f). 

— Commit function: is defined as a mapping from Px{0,I}toG. Concretely, 
commit(r, b) = y^f{r). 

— Hiding Property: is unconditionally satisfied, since by assumption, P can 
verify without error that y G Im(f), and in this case a commitment to b will 
have distribution independent of 6, namely the uniform distribution over 
Im{f). This is because P chooses r uniformly in H, group homomorphisms 
are regular mappings (they map a fixed number of elements to one), and 
finally because multiplication by the constant y is a one-to-one mapping in 
the subgroup Im{f) < G. Thus these commitments are in fact perfectly 
hiding. 

— Binding Property: Follows from the following fact: given any algorithm A 
that breaks the binding property of this scheme with success probability e 
in time Ta- Then there exists an algorithm A' that inverts homomorphisms 
generated by Ti. with success probability e as well and in time Ta plus the 
time needed for one inversion and one multiplication in G. 

This is easy to show: we are given f : H —f G,y and must invert / in 
point y. We run A on input /, G, H, y pretending this is the public key of 
a commitment scheme instance. A outputs in time Ta a commitment c and 
openings tq, 0 and ri, 1. We now output x = We leave it to the reader 

to show that if indeed tq, 0 and ri, 1 are valid openings of c, then f{x) = y. 

There are several things to notice about this scheme and its proof: 

— In the set-up phase, it is essential that P is convinced that y G Im{f). It 
would be devastating if V could get away with selecting y ^ Im{f) (can you 
see what would go wrong?). For the RSA example, this was not a problem: 
P can check for himself that / is surjective which implies that y G Im{f). 
In other cases, the set-up phase must be more elaborate in that V must 
convince P that the public key was correctly selected. This can be done 
using a zero-knowledge protocol (see Section 3). In particular it is always 
possible given any homomorphism / for V to convince P in zero-knowledge 
that y G Im{f), which is in fact enough for the scheme to be secure. 

— The proof of the binding property is an example of so called proof by black- 
box reduction: we want to show that existence of cryptographic primitive P\ 
implies existence of primitive P2. In our case PI = one-way group homo- 
morphisms and P2 = unconditionally binding commitments schemes. 

To do this, we first make a construction that takes an instance of PI and 
builds an instance of P2. This construction treats the instance of PI as a 
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black-box: anything that satisfies the abtract requirements (e.g for being a 
one-way group homomorphism) will do. We then show that any algorithm 
that can break P2 can be used to build an algorithm that breaks PI “just as 
efficiently” . This is done by a reduction that treats the algorithm attacking 
P2 as a black-box: it doesn’t care how the algorithm manages to break P2, 
it just uses the fact that it succeeds in doing so. We conclude that if the 
security properties of P2 are violated, so are those of PI, and conversely, if 
secure instances of PI exist so do secure instances of P2. 

This black-box paradigm has proven extremely productive in many areas of 
cryptography. See the article by Bellare in this volume for more information 
on this. 

— The black-box reduction we built to show the binding property is actually 
much stronger than needed for the definitions: for that, it would have been 
enough if we had shown that the running time of A! was polynomial in 
and that the success probability of A was a polynomial function of e. Still, 
what we have done is far from being overkill: what we want, in practice as 
well as in theory, is basically to say that “breaking the comitment scheme 
is just as hard as it is to invert the homomorphism” . And of course we can 
make this claim in a stronger sense, the more efficient a reduction we have. 
Hence if we want results that are meaningful not only in theory, but also in 
practice, it is important to try to obtain as efficient a reduction as possible 
in any proof of this type. 

— Group homomorphisms can also be used to build unconditionally binding 
commitments, and to build schemes where one can commit to many bits in 
the same commitment. For details on this, see [11]. 

2.4 Theoretical Results of Existence of Commitment Schemes 

It is easy to see that if any commitment scheme in the two-player model exists, 
then a one-way function must also exist. For example, in our definition, it is 
clear that the function commit must be one-way in order for the commitment 
scheme to be secure. 

Hence, the optimal result would be to show existence of commitment schemes 
based only on the existence of one-way functions. Such a result is known for one 
type of commitment scheme, and follows from a result of Naor [29] (actually, 
Naor’s result is the last in a chain of results linking one-way functions with 
commitments through other primitives such a pseudorandom generators, for ref- 
erences on this, see [29]): 

Theorem 2. If one-way functions exist, then commitment schemes with uncon- 
ditional binding (and computational hiding) exist. 

For unconditionally hiding schemes, the situation is different. In [30], the 
following is proved: 

Theorem 3. If one-to-one surjective one-way functions exist, then commitment 
schemes with perfect hiding (and computational binding) exist. 
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In [31], with generalizations to multi-bit commitments in [18], the following 
is proved: 

Theorem 4. If collision-intractahle hash functions exist, then there exists eom- 
mitment schemes with unconditional hiding (and computational binding). 

Loosely speaking, a collision intractable hash function is a function h : 
{0,1}^ — > {0,1}* such that I < k, h is easy to compute, but it is hard to 
find X ^ y such that h{x) = h{y) (although such values must of course exist ~ 
for a precise definition, see [15]). 

Whereas the first two of these three basic results involve very complex re- 
ductions and therefore are of limited practical value, the third one can lead to 
very practical schemes. 

There is no implication known in either direction between existence of one- 
way one-to-one functions and collision-intractable hash functions, so the last 
two results are in this sense “independent” from a theoretical point of view. 
The obvious question “does existence of one-way functions imply existence of 
unconditionally hiding commitments?” is a long standing open problem. 



3 Zero-Knowledge Protocols 

3.1 Introduction 

In order for a modern computer network to offer services related to security, it 
is a basic necessity that its users have access to private information, in the form 
of e.g. passwords, PIN codes, keys to cryptosystems, keys to signature systems 
etc. If I know every bit of information that you know, it will be impossible for 
the rest of the system to tell us apart. 

This introduces a basic problem when implementing such services: of course 
I want my private information to stay private, but as soon as I start using it 
as input when computing the messages I send to other parties on the net, this 
introduces the risk of leaking private information, in particular if the parties 
I interact with do not follow the protocols, but instead do their best to mali- 
ciously trick me into revealing my secrets. This dilemma can be solved if we use 
protocols on the net for which we can control exactly how much sensitive infor- 
mation is being released, even in presence of adversarial behavior. The concept 
of zero-knowledge, first introduced by Goldwasser, Micali and Rackoff [26], is 
one approach to the design of such protocols. 

As an easy example, consider the classical user identification problem: we 
have a host computer that would like to verify the identity of users that try to 
log on. The classical solution is assign a private password to each user. When 
logging on, the user types his user name and password, this is sent to the host, 
who checks it against a stored list. 

The security problems with this are many and well known. Let us concentrate 
here on the obvious problem that if an adversary eavesdrops the line, he can pick 
up the password, and then impersonate the user. When trying to solve this, the 
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immediate reaction might be to propose that we transport instead the password 
in a protected way. Perhaps we should just encrypt it? 

But then we would be barking up the wrong tree. We have to ask ourselves 
first what the purpose of the protocol is. Is it to send the password from the 
user to the host? No! - we are trying to identify the user. What we have done 
intitally is to assign a secret (the password) to each user, so when someone types 
his user name, say xxx, this is equivalent to claiming that a certain statement 
is true, in this case “I know the secret corresponding to user name xxx" . 

The only thing the host needs to know here is only 1 bit of information, 
namely whether this statement is true or not. The real purpose of the protocol 
is to communicate this piece of knowledge to the host. Sending the secret of the 
user in clear is just one way, and not even a very intelligent way to do it. 

In general, we could have the user and host conduct an interactive protocol, 
where at the end, the host can compute a one-bit answer saying whether the user 
was successful! in proving himself or not. Here of course we have to design the 
protocol such that if the user really knows the right secret, he will be successful, 
whereas the answer will be no, if the user is cheating and does not know the 
secret. If this is satisfied, we can say that the protocol really does communicate 
this 1 bit of knowledge saying whether the claim is true or not. But moreover, 
if we design the protocol correctly, we can actually obtain that it communicates 
nothing more than this. Which would mean that for example an eavesdropper 
listenting to the communication would just as far away from guessing the user’s 
secret after seeing the conversation as he was before. 

This leads to our first very loose definition of zero-knowledge: a protocol is 
zero -know ledge if it communicates exactly the knowledge that was intended, and 
no (zero) extra knowledge. 

3.2 A Simple Example 

One way to realize the scenario where each user has his own secret is to use a 
public key cryptosystem. So suppose each user A has a private key Sa known 
only to him, whereas everyone, including the host, knows the public key Pa. 

Now, if the cryptosystem is any good, it must be the case that decrypting a 
ciphertext C = Pa{M) is hard unless you know the private key. Hence, if you 
meet someone who is able to decrypt a ciphertext you send him, it is reasonable 
to conclude that he knows Sa, at least if you make sure that the message you 
encrypt is randomly chosen from a large set, such that the probability of guessing 
your choice is negligible. This suggests the following simple protocol, where we 
rename the players so that the description fits better with the definitions to 
follow: the user, who is the one wanting to convince the other about the truth 
of some claim will be called the Prover (P), and the host, who is interested in 
checking that the claim is true, will be called the verifier (V). 

1. If the prover claims to be A, the verifier chooses a random message M, and 
sends the ciphertext C = Pa{M) to the prover. 

2. The prover decrypts C using Sa and sends the result M' to the verifier. 

3. The verifier accepts the identity of the prover if and only if M' = M . 
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Let us look at this protocol from the point of view of both parties. Should 
the verifier be happy about this protocol? the answer is yes if the public key 
system used is secure: while the owner of Sa can always conduct the protocol 
successfully, an adversary who knows only the public key and a ciphertext should 
not be able to find the plaintext essentially better than by guessing at random. 

Now what about security from the (honest) prover’s point of view - is any 
unnecessary knowledge being communicated to the verifier here? At first sight, it 
may seem that everything is OK: if we consider the situation of the verifier just 
after sending C, then we might argue that since the verifier has just chosen the 
message M itself, it already knows what the prover will say; therefore it learns 
no information it didn’t know before, and so the protocol is zero-knowledge. 

But this reasoning is WRONG! It assumes that the verifier follows the proto- 
col, in particular that C is generated as prescribed. This is of course unreasonable 
because nothing in the protocol allows the prover to check that the verifier is be- 
having honestly. This is more than a formal problem: assume that an adversary 
takes control of the verifier, and sends instead of a correctly generated C some ci- 
phertext C intended for the correct prover, that the adversary has eavesdropped 
elsewhere. And now, following the protocol, the unsuspecting prover will kindly 
decrypt C for the adversary! 

This is certainly not the kind of knowledge we wanted to communicate, and 
hence this protocol is definitely not zero-knowledge. How can we repair this 
protocol? The basic problem we saw is that when the verifier sends C, we are 
not sure if it really knows the corresponding plaintext M . If it did, we would be 
fine. However, the verifier will of course not be willing to reveal M immediately, 
since from its point of view, the purpose of the protocol is to test if the prover 
can compute M based only on C. And for the reasons we saw above, the prover 
will not be willing to go first in revealing M either. So we have a sort of deadlock 
situation similar to the one in the coin-flipping by telephone problem from the 
former section. Like that problem, this one can be solved using commitments. 

Assume we have a commitment scheme that lets the prover commit to any 
message that can be encrypted by the public key system. Let commit(r, M) 
denote a commitment to message M (using random choice r - we can always 
commit bit by bit if no more efficient methods are available) . Then consider the 
following: 



1 . If the prover claims to be A, the verifier chooses a random message M, and 
sends the ciphertext C = Pa{M) to the prover. 

2. The prover decrypts C using Sa and sends a commitment to the result 
commit(r, M') to the verifier. 

3. The verifier sends M to the prover. 

4. The prover checks \i M = M' . If not he stops the protocol. Otherwise he 
opens the commitment, i.e. he sends r,M' to the verifier. 

5. The verifier accepts the identity of the prover if and only if M' = M and 
the pair r, M' correctly opens the commitment. 
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Proving formally that this repair works turns out to be surprisingly compli- 
cated, but possible. The necessary techniques can be found e.g. in [5,24]. Here, 
however, we are only interested in arguing informally why such a solution should 
have a chance of working: first, the protocol demonstrates that the prover can 
decrypt C based on C alone, since when the verifier finds the right plaintext 
inside the commitment, this shows that the prover knew it already in step 2, by 
the binding property of the commitment scheme. As for zero-knowledge, either 
the verifier knows M or not. If yes, then it can send the correct M in step 3, 
but then it already knows what it will find inside the commitment in step 5 
and so learns nothing new. If not, then it cannot send the right value in step 3, 
the prover will stop the protocol, and the verifier will be left with an unopened 
commitment which by the hiding property is a useless piece of information that 
might represent any value whatsoever. 

If nothing else, this example demonstrates first the fundamental role that 
commitments often play in protocol design, and second that we should not ar- 
gue security of protocols based on what players should be doing according to 
the protocol, we must take any adversarial behavior into account. Finally, it 
also demonstrates one basic design principle for zero-knowledge protocols that 
continue to appear in all sorts of incarnations: have the prover demonstrate 
something the verifier already knows. The problem with this is, in the above 
protocol as in all protocols of this type, to ensure that the verifier does indeed 
know in advance what the prover will say. For other examples of this kind, see 
e.g. the graph nonisomorphism protocol from [25]. 



3.3 Definitions 

Interactive Proof Systems and Proofs of Knowledge The protocols to 
follow will take place as interactions between two Interactive Turing Machines, 
i.e. ordinary probabilistic Turing machines that are in addition equipped with 
communication tapes allowing a machine to send and receive messages from the 
other one. A formal definition can be found in [26]. 

To define interactive proof systems, we assume that one machine, called the 
prover (P) has infinite computing power, and the other called the verifier (V) 
is polynomial time bounded. The machines get a common input string (usually 
called x) . Running the machines on some input x results in V outputting accept 
or reject after which the machines halt. We say that the pair (P, V) accepts or 
rejects x accordingly. Finally a binary language L is given. 

In the previous section, we talked about the intutive model where the prover 
claims that “a certain statement is true” . We now specialize to the concrete case 
where the prover claims that a certain logical statement is true, namely that 
X G L. This can be compared in the real world to convincing someone that a 
certain theorem is true. Concretely, we have the following definition [26]: 

Definition 5 The pair (P, V) is an interactive proof system for L if it satisfies 
the following two conditions: 
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Completeness: If x £ L, then the probability that (P, V) rejects x is negligible 
in the length ofx. 

Soundness: Ifx^L then for any prover P* , the probability that (P*,V) accepts 
X is negligible in the length ofx. 

What these conditions say is that first, the honest prover can always convince 
the verifier about a true statement, but that there is no strategy that convinces 
him about something false. Both conditions are required to hold except with 
negligible probability, and are in fact rather strong: even if the honest prover 
can convince the verifier using only polynomial computing time, there must be 
no way to cheat the verifier, even using infinite computing power. 

There are two features that make this definition interesting, namely that 
interaction and error probabilities are allowed. It is easy to see that if the prover 
is only allowed to send a single message to the verifier, who should then be able 
to check without error that the input a; is in L, we would only be redefining the 
class NP. But with these two features, the model becomes much more powerful 
in terms of the class of statements that can be proved, as we shall see. 

There is a variant of this, known as Proofs of Knowledge, where the prover’s 
claim has a different flavor: he claims to know a certain piece of information (such 
as a secret key corresponding to a given public one). Such proof systems can 
be defined in a similar model, where however the completeness and soundness 
properties are replaced by knowledge completeness and knowledge soundness. 
The first property simply says that if the prover knows the claimed information 
and follows the protocol, he can almost always convince the verifier. The second, 
loosely speaking, says that if some prover can, using whatever strategy, convince 
the verifier with substantial probability, then the prover knows the information 
in question. By “knowing the information” we mean that the prover can compute 
it, and that the time he needs to do so is roughly inversely proportional to the 
probability with which the verifier gets convinced. A precise definition can be 
found in [2]. 

Interactive Arguments Another variant of Interactive proof systems is known 
as Interactive Arguments and has perhaps more direct relations to practical 
protocols. In this type of protocol, we want the prover to be polynomial time, 
but on the other hand are only concerned about polynomial time provers cheating 
the verifier. This can be said to be a complexity theorist’s way of modelling the 
situation where only realistic computing power is available to prover and verifier. 

The simplest way to define an interactive argument for a language L, is to 
say that it is an interactive proof system, but with two changes: 

~ The honest prover is required to be probabilistic polynomial time, and its 
only advantage over the verifier is that it has a private auxiliary input. The 
completeness condition says that for every x £ L, there is an auxiliary input 
that allows the prover to convince the verifier almost always^. 

^ In order for the protocol to be interesting at all, the prover must have some advantage 
- otherwise the verifier might as well go and solve the problem on his own. 
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— The soundness condition says “for any probabilistic polynomial time prover” , 

in stead of “for any prover”. 

It turns out that this simplistic definition of soundness is not quite adequate 
in all cases, but it will do for us here. For a more complete set of definitions and 
a discussion of this, see [17]. 

Zero-Knowledge Zero-Knowledge can be seen as an extra property that an 
interactive proof system, a proof of knowledge or an interactive argument may 
have. Here, we want to express the requirement that whatever strategy the ver- 
ifier follows, and whatever a priori knowledge he may have, he learns nothing 
except for the truth of the prover’s claim. We do this by requiring that assuming 
the prover’s claim is true, the interaction between the prover and verifier can be 
efficiently simulated without interacting with the prover. 

A verifier that tries to cheat the prover can be modelled by an arbitrary prob- 
abilistic polynomial time machine V* that gets an auxiliary input H of length 
some fixed polynomial in the length of the common input x. This represents a 
priori information that V* could have e.g. from earlier executions of the proto- 
col, which it may now use to trick the prover into revealing more information. 
By a conversation between P and V we mean the ordered concatenation of all 
messages sent between P and V in an execution of the protocol. We get the 
following [26]; 

Definition 6 An interactive proof system or argument {P,V) for language L is 
zero-knowledge if for every probabilistic polynomial time verifier V* , there is a 
simulator My* running in expected probabilistic polynomial time, such that for 
X G L and any auxiliary input H , the distribution of conversations output by 
My* on input x, H is computationally indistinguishable from the distribution of 
conversations produced by (P,V*) on input x and PI (given to V*). 

By “computationally indistinguishable”, we mean the following: consider any 
probabilistic polynomial time distinguisher D, who gets as input x £ L and PI as 
above. In case 0 it also gets a conversation generated by (P, V*) on this input, in 
case 1 it gets a simulated conversation generated from the same input. D outputs 
a bit, which we can think of as its guess at which case we’re in. Let Pi{x, H) be 
the probability that D outputs 0 from this experiment, assuming we are in case 
z, j = 0, 1. These probabilities are taken over the coin tosses used for producing 
the conversations as well as over internal coin tosses of D. Then computational 
indistinguishability means that \pq{x,H) —pi{x,H)\ is negligible in the length 
of X 

For some protocols, we can obtain that real and simulated conversations have 
exactly the same distribution, in this case we speak of perfect zero-knowledge. 

^ Usually, one allows P to be a non-uniform algorithm, i.e. it is specified by a family 
of polynomial size Boolean circuits - but this is not so important for our purposes 
in this paper 
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In other cases, the distributions are different, but very close to each other in 
the sense that the amount of probability mass one must move to change one 
into the other is negligible; then we speak of statistical zero-knowledge. Clearly, 
perfect zero-knowledge implies statistical zero-knowledge, which in turn implies 
computational zero-knowledge as defined above. 

At first sight, the zero-knowledge definition may seem intuitively to contra- 
dict the proof system definition: first we say that the verifier should be convinced 
by talking to the prover. But then we require that the whole conversation can 
be efficiently simulated without talking to the prover - doesn’t this mean that 
having a conversation with the prover cannot be convincing? 

Fortunately, this is not the case. The explanation is that a simulator has 
some degrees of fredom that the prover doesn’t have when executing the real 
protocol. In particular, the simulator can generate messages of a conversation 
in any order it wants - it can start with the last message first, and then try 
to find earlier messages that match. A real prover is forced by the verifier to 
proceed in the protocol with the correct time ordering of messages. And this is 
why it can be possible that even an infinite prover cannot cheat the verifier, and 
still a simulator with no special knowledge or computing power can simulate the 
conversation. For concreteness, see the example below. 

3.4 An Example 

We describe here a simple example taken from [25], namely a perfect zero- 
knowledge proof system for the graph isomorphism problem: the common input 
in this case is a pair of graphs Go, Gi each on n nodes, and the prover claims the 
graphs are isomorphic: there is a permutation tt (an isomorphism) such that by 
permuting the nodes of Gq according to tt (and connecting two resulting nodes 
iff their preimages were connected in Gq), one obtains the graph Gi. We say 
that 7 t(Go) = Gi- 

Note that no general probabilistic poly-time algorithm is known for deciding 
if two graphs are isomorphic. We will use n as a measure of the length of the 
input. In the protocol, we actually do not need P to be infinitely powerful, 
although the definition of proof systems allows this; it is enough that he knows 
an isomorphism tt. The protocol works by repeating sequentially the following 
steps n times: 

1. P chooses a random permutation (j) on n points and sends H = 4>{Go) to V. 

2. V chooses at random a bit b, and sends it to P. 

3. If 6 = 0, P sets '0 = 0“^. Else he sets ip = 7t 0“^. He sends ip to V, who 

checks that ip{H) = Gb, and rejects immediately if not. 

The verifier accepts, only if all n iterations were completed successfully. 

First, let us check that this is a proof system. Completeness is obvious: if 
indeed 7 t(Go) = Gi and ipiGo) = H, then it follows trivially that E’s check will 
be satisfied for both values of h. Soundness can be argued as follows: observe that 
we must prove something here assuming that the prover’s claim is wrong, which 
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in this case means that Gq is not isomorphic to Gi . Now assume that in one of 
the n iterations, P can answer both values of b with a permutations that satisfy 
y’s check. Let tpo,4’i be the permutations sent as response to 6 = 0,1. Since 
F’s checks are satisfied, we know that "ipaiH) = Go and V'i(^) = Gi. It follows 
that Go is isomorphic to Gi under the isomorphism a contradiction. 

Consequently, it must be the case that in all n iterations, the prover is able 
to answer at most one of the 2 possible values of b. Hence the probability of 
acceptance is at most 2“”, which is certainly negligible in n. 

Finally, let us show that the protocol is perfect zero-knowledge. To this end, 
we must build a simulator. The easiest way to think of a simulator usually is 
to think of it as an algorithm that tries to complete the protocol, playing the 
role of the prover, but of course without any special knowledge or computing 
power. Thus, a non-trivial trick is needed. In our case, we cannot just execute 
the protocol: we saw in the argument for soundness that knowing how to answer 
both of y’s challenges at the same time implies we can compute an isomorphism 
between Gq and Gi, and no efficient algorithm is known for this. However it is 
possible to prepare in such a way that one of the challenges can be answered. 
This is used in the following algorithm for a simulator M : 

1. Start the machine V*, which means giving it inputs Gq,Gi (plus possibly 
some auxiliary input H) and supplying random input bits for V* . These are 
needed since V* is allowed to be a probabilistic algorithm; we choose the 
random bits here and keep them fixed for the rest of the simulation. 

2. To simulate one iteration, execute the following loop: 

(a) Choose a bit b' and a permutation ijj at random. Set H = tjj~^{Gb') and 
send H to I^*. 

(b) Get b from V* . If & = b' , output H, 6, ^|J and exit the loop. Else, reset V* 
to its state just before the last H was chosen, and go to step 2a. 

If we have completed simulation of all n iterations at this point, then stop. 
Else start at Step 2a again. 

So in simulating one iteration, the simulator prepares to answer question 
6', and hopes that this is the question V* will ask. If this happens, we’re in 
business and can complete the simulation of the current iteration. Otherwise 
we just pretend the bad case never happened by rewinding V* and then we 
try again. At first sight, this rewinding technique can seem somewhat strange. 
However, it is essentially the same as rebooting your PC when it crashes: if we 
reach a configuration we don’t like, we take the machine back to one we like 
better; so in this sense rewinding is an everyday experience^. 

To show that this simulator works, we need to show two things: M runs in 
expected polynomial time, and the distribution output by M is exactly the same 
as in a real protocol run. 

Observe first, that by definition of zero-knowledge, we always prove correct- 
ness of a simulation assuming that P’s claim is true, in our case this means that 

® If your PC never crashes, you should be making a fortune in consultancy instead of 
reading this book! 
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Go is isomorphic to Gi. Let S be the set of all graphs isomorphic to Go (or Gi). 
It is straightforward to check that the distribution of H generated in the simu- 
lation is the same as in the real protocol, namely the uniform distribution over 
S. In particular it is independent of b' . It follows that the b chosen by V* must 
be independent of b' as well, and so Prob{b' = b) = 1/2. Hence the expected 
number of times we do the loop to simulate one iteration is 2, and so the whole 
simulation takes expected time 2n times the time to go though the loop once, 
which is certainly polynomial in n. 

Finally, the output distribution: The simulator produces for the Fth iteration 
a triple {H,b,ip)- First note that the candiate H’s produced in step 2a are 
uniform over S. By independency of H and b' the decision to keep H or rewind 
and throw it out does not depend on the choice of H. Hence the H’s actually 
output are also uniform over S, as in the real protocol. The b occurring in a 
triple is by construction always the value V* would send having seen H (recall 
that we fix 17* ’§ random bits initially). And finally tp is a, random permutation 
mapping H to G&, just as in the real protocol. Thus the output distribution of 
M matches the real protocol exactly. 

This example demonstrates another basic design idea for zero-knowledge pro- 
tocols: the prover is asked to answer one out of some set of questions. We set it 
up such that he can only answer all of them if his claim is true, but such that 
one can always prepare for answering any single question properly. For other 
examples of this type of protocol, see e.g. [11,12,13,21,27,32]. 

3.5 Known General Results and Open Problems 

Having seen a few examples of zero-knowledge proofs, it is natural to ask some 
more general questions: 

~ Which languages have interactive proofs? 

— Which languages have (perfect/statistical) zero-knowledge interactive proofs? 

~ Can we compose several zero-knowledge protocols and obtain again a zero- 

knowledge protocol? 

It turns out that the answers depend strongly on whether the prover (and 
cheating provers) are allowed infinite computing power, or only polynomial time, 
that is, if we are talking about proof systems or arguments. 

Results on Interactive Proofs and Arguments For an unbounded prover, 
the first question has been answered recently by Shamir [33], where we define 
IP = {L\ L has an interactive proof system}: 

Theorem 7. IP = PSP ACE, i.e. the statements that an all powerful prover 
can prove to a polynomially bounded verifier, are precisely those that can be 
verified using polynomially bounded memory (but possibly unbounded time). 

If the prover is polynomially bounded, it is clear that his only possible ad- 
vantage over the verifier is that he may have more information than the verifier. 
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In this case, the best the prover can do to convince the verifier is to simply 
send his information, s, say, to the verifier who should then be able to check 
the prover’s statement based on s, where some error probability is allowed. The 
class of languages allowing such probabilistic verification of membership given 
auxiliary knowledge is already well known as NBPP or MA. So if we define 
Boimded-Prover/P to be the class of languages that have interactive arguments, 
then we have: 

Theorem 8. Bounded-Proverl P = MA 



Results on Zero-Knowledge We first look at the case of zero-knowledge 
interactive proofs. Let 

ZKIP = {L\ L has a zero-knowledge interactive proof system}. 

Goldreich, Micali and Wigderson [25] show that any NP C ZKIP if commit- 
ment schemes with unconditional binding exist. This was extended to all of IP 
in [6]. This, together with Theorem 2 gives: 

Theorem 9. If one-way functions exist, then ZKIP = IP. 

It is natural to ask also about statistical and perfect zero-knowledge. Let 
PZKIP, SZKIP denote the classes of languages with perfect, resp. statisti- 
cal zero-knowledge proof systems. Except for the trivial PZKIP C SZKIP C 
ZKIP, very little is known with certainty. We know that a few languages with 
nice algebraic properties, such as graph isomorphism and quadratic residuosity^ 
are in PZKIP. Also the complements of these languages are in PZKIP, and 
this is interesting since a problem such graph non-isomophism is not known to 
be in NP, and so it seems unlikely that PZKIP C NP. It also seems unlikely 
that the converse inclusion holds: Fortnow [20] has proved that if it does, then 
the polynomial hierachy collapses - something believed to be false by many com- 
plexity theorists. In fact this can be seen as evidence that the graph isomorphism 
problem is not A^P-complete, one of the few real evidences that have been found. 

A nice characterization of languages in PZKIP or SZKIP is an interesting 
open problem. We do know, however, some information on complete problems 
in SZKIP [35], and that a proof system that is statistical zero-knowledge w.r.t. 
the honest verifier implies existence of a proof system that is statistical zero- 
knowledge in general [23]. 

Let us mention also a variant of the zero-knowledge concept, known as non- 
interactive zero-knowledge. In the non-interactive zero-knowledge model, an un- 
bounded prover and a polynomial time verifier share access to a random string 
a. It is assumed as a part of the model, that a contains independent random 
bits. The prover must now convince the verifier that a common input x is in some 
language L by sending only 1 message cr (hence the “non-interactiveness”). The 
verifier then checks a against x and a and accepts or rejects. 

This is the set of pairs of numbers n, a, where a is a square modulo n 
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This proof system is called sound if whenever x ^ L, no prover can make 
the verifier accept with non-negligble probability over the choice of a. It is zero- 
knowledge if the pair a, a can be simulated with an indistinguishable distribution 
in expected polynomial time. 

This model was introduced by Blum, de Santis, Micali and Persiano [7] to 
formalize the absolute minimal amount of interaction required to prove non- 
trivial statements in zero-knowledge. 

To distinguish between all the relevant complexity classes now involved, we 
use the following notation: Let NIZK, NIPZK and NISZK denote the classes 
of languages with non-interactive computational, perfect and statistical zero- 
knowledge proof systems. 

Lapidot and Shamir [28] have shown that 

Theorem 10. If one-to-one surjective one-way functions exist, then NP C 
NIZK. 

It is an open question whether any one-way function would be sufficient. 

The non-interactive model is weaker than the normal interactive model in 
that interaction is not allowed, but in another respect stronger because a ran- 
dom string with correct distribution is assumed to be given “for free” . It is 
therefore not immediately clear whether any language that has a non-interactive 
zero-knowledge proof system also has an interactive one and vice versa. In [16], 
Damgard shows: 

Theorem 11. ITe have that NIZK C ZKIP, NISZK C SKZIP and that 
NIPZK C PZKIP. 

We already know that if one-way functions exist, ZKIP = PSP ACE. This 
together with the fact that a non-interactive proof uses only a constant number of 
rounds provides very strong evidence that the first containment above is proper, 
since it is extremely unlikely that a constant number of rounds would be sufficient 
to prove all of IP. On the other hand, the corresponding questions for the classes 
where statistical or perfect zero-knowledge are required seem more open. 

For the interactive argument model - which is the most interesting one in 
practice - the situation is again quite different. We have already seen that the 
only statements we can hope to prove at all are those in the class MA. 

So the remaining question is whether we can prove any such statement in 
zero-knowledge, or even in perfect zero-knowledge. 

In [4], Brassard Chaum and Crepeau show that any MA-language has a 
perfect zero-knowledge argument, if commitment schemes with unconditional 
hiding exist. It follows that 

Theorem 12. If one-to-one surjective one-way functions exist, resp. if collision- 
intractable hash functions exist, then any language in M A has a perfect, resp. 
statistical zero-knowledge interactive argument. 

There is currently no implication known either way between the two as- 
sumptions listed in this theorem. Proving the theorem assuming only existence 
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of one-way functions is a challenging open problem. Note that there is no conflict 
between this result and that of Fortnow mentioned above: Fortnow’s result talks 
only about interactive proofs (and not arguments). 

The concrete protocol constructions used to prove that all NP problems have 
zero-knowledge proof systems and arguments are in fact also proofs of knowledge. 
So equally general results on proofs of knowledge follow immediately. 



On Composition of Zero- Knowledge Protocols In general, the sequential 
composition of two zero-knowledge protocols is again zero-knowledge. An exam- 
ple of this is the graph isomorphism protocol shown above - it is in fact the 
result of repeating sequentially a basic step several times, where each step is 
zero-knowledge . 

However, if we try doing the repetitions in parallel, then the resulting pro- 
tocol does not seem to be zero-knowledge: we would get a scenario where P 
would send many graphs at once, V would send challenges 6i,...6„ 

and P would reply by '0i,...,'0„. The resetting technique for simulation does 
not work anymore: we would be forced to try to guess in advance all the bits 
bi,...bn, and it would take us expected exponential time before the guess was 
correct. The idea that doing the protocol in parallel is not zero- knowledge may 
seem counterintuitive at first sight: why should doing it in parallel tell V more 
about an isomorphism between Gq and Gi? The answer is that while it might 
in fact be true that V learns nothing that could help him to compute such an 
isomorphism, this is not enough for zero-knowledge which requires that V learns 
nothing whatsoever that he could not compute himself. Indeed if the verifier com- 
putes its challenge bits as a one-way function of the Hi, ...,Hn received, then it 
seems that conversation itself would be a piece of information that is difficult 
for V to generate on his own. 

This discussion does not prove that the parallel version of the graph isomor- 
phism protocol is not zero-knowledge, only that the resetting technique will not 
work for simulating it. However, Goldreich and Krawczyk [24] have shown that 
there exist protocols that are zero-knowledge, but where the parallel composition 
provably is not zero- knowledge. 

A more complicated scenario which has been considered very recently is that 
of concurrent zero-knowledge where we allow arbitrary interleaving of different 
instances of protocols, i.e. while P is running a protocol with Vi, it starts doing 
(the same or) a different protocol with V 2 , etc. There is no a priori time ordering 
fixed between messages sent in different protocols. We can ask whether this entire 
interaction is simulatable. There are results about this indicating that many well 
known protocols fail to be zero-knowledge in such a scenario, however, there are 
also ways around this problem. More information on this can be found in one of 
the latest papers on the subject by Dwork and Sahai [19], which also contains 
pointers to more material. 
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3.6 Applications of Zero-Knowledge 

One basic application of zero-knowledge protocols that is important in theory 
as well as in practice is the usage of zero-knowledge protocols as subprotocols in 
larger constructions, this could be voting schemes, key distribution protocols, or 
in general any multiparty computation (see the article by Cramer in this volume 
for information and references on this). If we do not want to assume existence 
of secure channels, such constructions are usually not possible in the first place 
unless one-way functions exist. This means that in building such protocols we can 
assume without loss of generality that NP C ZKIP. And so whenever a player 
A sends a message in a protocol he can convince anybody else in zero-knowledge 
that he has computed his message according to the rules in the protocol. This 
follows since if the computation A was supposed to do is feasible in the first 
place, then the claim that the message is correctly computed can be verified in 
polynomial time given all A’s data, and so is an TVP-statement. 

It follows that we can automatically transform any protocol that is secure 
assuming players follow the rules into one that is secure even if players deviate 
arbitrarily from the protocol. This oberservation was first made in [25]. 

This can be interesting in practice if the involved zero-knowledge proofs are 
efficient. However, this is not always the case if we are using the general theoret- 
ical results we have covered. While they show what is in principle possible, most 
of the actual protocol constructions occurring in the proofs of those results are 
not very attractive in practice. 

As an example, we know that a zero-knowledge proof or argument can be 
given for any NP language, and this is proved by providing a zero-knowledge 
proof for an NP complete problem such as Boolean Circuit satisfiability (SAT). 
When we are given a concrete problem instance x & L, where L & NP, then to 
use the general result, we must first construct from x a Boolean circuit which is 
satisfiable precisely if a; € L, and then use the protocol for SAT. 

This approach often results in very large circuits, for problem instances of in- 
terest in real life, typically at least 10.000 to 100.000 binary gates. It is therefore 
of interest to be able to construct instead an ad hoc zero-knowledge protocol for 
the problem in question, such as the graph isomorphism protocol above. A few 
problems are “nice” in this sense, in that they allow construction of particularly 
efficient protocols. This is often true of problems derived from number theory, 
and we mention some examples below. Still, there are also cases where the only 
solution we know is to use general techniques. This can be the case e.g. if P wants 
to show that for a given bit string y he knows x such that hix) = y, where h is 
some cryptograhic hash function. Since such functions are usually constructed 
deliberately to have none of the nice algebraic properties that enable efficient 
zero-knowledge directly, we have to resort to the general techniques. SAT is often 
the natural NP complete problem to use, so efficient zero-knowledge protocols 
for SAT are of particular interest. Recent results by Cramer and Damgard in 
this direction show that one can prove satisfiability of a Boolean circuit while 
communicating only a number of bit commitments linear in the size of the cir- 
cuit [11]. Using preprocessing, one can even reduce the proof to one message 
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containing 2 bits pr. gate in the circuit [12]. Thus, general techniques can in fact 
be practical in some cases. 

Still, the largest potential for practical applications of zero-knowledge comes 
from extremely efficient protocols specially designed for particular problems such 
as the quadratic residuosity problem [21], the discrete logarithm problem [.32], or 
the RSA root extraction problem [27] . The typical use here is for the classical user 
identification problem that we mentioned earlier: each user U gets a solution to a 
hard problem instance xjj, and can identify himself by proving in zero-knowledge 
that he knows a solution to xjj- By the zero-knowledge property, none of the 
proofs conducted by U will help an adversary to find a solution to xu- Still, 
by the soundness property, an adversary can only impersonate U if he can find 
a solution to xjj- So if he succeeds it means he could find a solution to xjj 
from scratch, and this is not possible if the underlying problem is hard. Using a 
secure hash function, one can also use these (interactive) identification protocols 
to build (non-interactive) signature schemes [21]. These can be more efficient 
than RSA signatures, but have so far only conjectured security in the sense that 
we do not know how to reduce the security to any well established computational 
assumption. 

The most efficient versions of these protocols yield error probability exponen- 
tially small in the security parameter, even though the communication required 
is only linear. Unfortunately, these protocols are only zero-knowledge against 
the honest verifier, and hence have no provable security in real life. Feige and 
Shamir [22] point out a possible way around this problem: the identification 
scenario does not really require the full power of zero-knowledge. It is enough 
if the protocol does not help the verifier (or anyone else) to find the provers 
secret (while zero-knowledge ensures that the verifier learns nothing new what- 
soever). This is so since we can show that an adversary needs to know the 
prover’s secret to impersonate the prover. Protocols with this weaker property 
are called Witness Hiding (WH), and might conceivably be easier to construct. 
In [13] Cramer, Damgard and Schoenmakers show that the efficient honest ver- 
ifier zero-knowledge protocols of [32, 27] can be transformed into WH protocols 
while preserving the efficiency. 

The results just mentioned and many others in the area of efficient zero- 
knowledge and WH protocols revolve around protocols of a particular form where 
P sends a message, V sends a random challenge, and P gives an answer that 
can be checked by V (this is the form of the basic step in the graph isomor- 
phism protocol). While such protocols by themselves have only limited security 
properties (e.g. they either have large error probability or are only honest ver- 
ifier zero-knowledge), it turns out that they can be used in a modular way in 
a number of constructions of protocols and signature schemes with simultane- 
ously high efficiency and provable security. For instance, a prover can show that 
he knows at least t out oi n > t secrets without revealing which t secrets is 
involved [13,34]. This can be important, e.g. in protocols where anonymity is 
desired. For a nice introduction to this entire area, see [8]. 
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Abstract. The transition from theory to industry standards presents 
many challenges, particularly in terms of what features are important and 
how they are to be specified. Public-key cryptography, now in its third 
decade, is in the midst of such a transition. With an introduction to the 
P1363 project Standard Specifications for Public Key Cryptography, this 
survey highlights some of the transitional challenges, and also describes 
several areas for further research motivated by the standards efforts. 



1 Introduction 

As public-key cryptography has now moved into its third decade, a maturing of 
available technology has occurred, as reflected by the widespread deployment of 
products based on public-key techniques, and the development of standards for 
public-key cryptography. 

Standards have historically been developed for many reasons. Perhaps the 
most traditional motivation is that of a reference: standard time and standard 
measurements are two examples. Many standards today, particularly for com- 
munications, extend this notion of a reference definition to provide a basis for 
interoperability, as parties communicate according to a common set of proto- 
cols. For security, the protocols are further based on standards for underlying 
cryptographic techniques, including public-key cryptography. 

Another motivation for standards is assurance of some kind of safety; here, 
Are resistance standards are a classic example. Assurance of security also plays 
a role in the development of public- key standards. 

Public-key standards today tend to be converging on three families of al- 
gorithms, where a family is defined by the underlying hard problem on which 
security is based. The first two families are based on the difficulty of the discrete 
logarithm problem over finite fields and the difficulty of the elliptic curve discrete 
logarithm problem. The third is based on the difficulty of integer factorization. 
As shorthand, these families may be denoted DL, EC, and IF, respectively, and 
they are the subject of further discussion in the material that follows. For more 
background on those families, the reader is referred to other articles within this 
Volume. 



I. Damgard (Ed.): Lectures on Data Security, LNCS 1561, pp. 87—104, 1999. 
(c) Springer-Verlag Berlin Heidelberg 1999 



Burton S. Kaliski Jr. 



Organization 


Web Page 


ANSI X9F1 


WWW . x9 . org 


IEEE P1363 


grouper . ieee . org/ groups/ 1363 


ISO/IEC JTCl SC27 


WWW . iso . ch/meme/ JTC1SC27 . html 


NIST 


www.nist .gov 



Table 1. Web pages of four organizations developing public-key standards. 



As noted in an earlier survey [14], the set of standards is as broad as the set 
of applications, and it would be difficult to write (at least in a short paper) a 
full description of every standard involving public-key cryptography. However, 
much of the work is covered by four organizations, so it is possible to convey a 
reasonable sense of the overall activity by reviewing the four efforts. This is done 
in Section 2. One of the outcomes of the various work efforts is a general model 
for public-key standards, which is helpful as a framework for further work. This 
model, presented in Section 3, also illustrates the techniques in the IEEE P1363 
draft standard. 

Section 4 gives an interesting account standards development with respect 
to the “strong primes” issue. The interaction between research and standards 
development is a challenging one in this regard; new research results motivate 
different positions in standards, and new requirements from standards motivate 
new research. The “strong primes” issue is thus one relevant area of research. 
Several other areas prompted by recent standards development are considered 
in Section 5. 

2 A Survey of Standards Efforts 

This brief survey is mainly intended as “snapshot” of current activities as of 
October 1998 in four organizations: ANSI X9F1, IEEE P1363, ISO/IEC JTCl 
SC27, and NIST. New activities are being added continually, and the reader is 
encouraged to consult the organizations’ Web pages for further information (see 
Table 1). Also, in the interest of brevity in terms of the references (and in view of 
the ongoing nature of the standards projects), full bibliographic citations for the 
standards documents are not given. Titles and other information can generally 
be obtained from the Web pages or directly from the organizations. 

2.1 ANSI X9F1 

ANSI X9F1 (full name: Accredited Standards Committee X9, Financial Services 
— Data and Information Security — Cryptographic Tools) develops crypto- 
graphic tools for the financial services industry in the United States. Member- 
ship is by corporation and meetings are held quarterly. Balloting is conducted 
through X9Fl’s parent committees, X9 and X9F, and an approved document 
becomes an American National Standard. 
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Standard 


Description 


Status 


ANSI X9.30 


DL signatures (DSA) 


approved 1995 


ANSI X9.31 


IF signatures (RSA, RW) 


approved 1998 


ANSI X9.42 


DL key agreement (DH, MQV) 


nearly complete 


ANSI X9.44 


IF key transport (RSA) 


in preparation 


ANSI X9.62 


EC signatures (DSA) 


in public comment 


ANSI X9.63 


EC key agreement / transport (DH, MQV) 


in preparation 


ANSI X9.80 


Prime generation 


in preparation 



Table 2. ANSI X9F1 standards and draft standards for public-key techniques. 



X9F1 has standards and draft standards for digital signatures and key estab- 
lishment in each of the three families. A standard for prime generation, which 
underlies all three families, is in development. Table 2 lists the various efforts. 

The renewed debate about “strong primes” (Section 4) has emerged as a 
result of ANSI X9FI’s standardization efforts. 

2.2 IEEE P1363 

IEEE PI 363 is developing a comprehensive standard for public-key cryptography 
in computer and communications systems. Membership is by individual and 
meetings are held quarterly. Balloting is conducted through P1363’s sponsor, 
the IEEE Computer Society Microprocessor Standards Committee. An approved 
document becomes an IEEE Standard. 

P1363 has a comprehensive draft standard about to begin ballot, whose title 
is the same as the working group’s name, IEEE P1363: Standard Specifications 
for Public Key Cryptography. The draft standard includes a variety of public-key 
techniques from all three families as well as extensive material on the number- 
theoretic algorithms underlying the standard and on security considerations. 
P1363 defines schemes and primitives (see Section 3), but not protocols. 

A new project, IEEE P1363a, will develop additional techniques to be added 
to the P1363 standard. That project has just started, and submissions of new 
techniques are currently being received. 

2.3 ISO/IEC JTCl SC27 

ISO/IEC JTCl SC27 (full name: International Organization for Standardization 
/ International Electrotechnical Commission — Joint Technical Committee 1, 
Information Technology — Subcommittee 27, IT Security Techniques). Mem- 
bership is by country, although experts participate in the three working groups 
of SC27. Meetings are held several times a year. Balloting is conducted through 
ISO and lEC, and an approved document becomes an international standard. 

SC27 has projects involving many aspects of cryptography, with both sym- 
metric and public-key techniques (often from multiple families) in the same set 
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Project 


Description 


ISO/IEC 9796 


Signatures with message recovery 


ISO/IEC 9798 


Entity authentication 


ISO/IEC 11770 


Key agreement / transport 


ISO/IEC 13888 


Nonrepudiation 


ISO/IEC 14888 


Signatures with appendix 



Table 3. Some ISO/IEC SC27 projects involving public-key techniques. 



of documents, which often have multiple parts. Table 3 lists some of the current 
efforts. SC27 defines protocols as well as other techniques and does not make as 
strong a distinction between schemes and primitives as PI 363 does. 

2.4 NIST 

NIST, the U.S. National Institute of Standards and Technology, develops stan- 
dards for the U.S. government, including Federal Information Processing Stan- 
dards (FIPS). The Computer Security Act (1987) gave NIST the charter for 
cryptography standards for the U.S. government. Although NIST submits doc- 
uments for public review, there is no ballot process, and final approval is by the 
U.S. Secretary of Commerce. 

NIST has two standards involving public-key techniques, FIPS PUB 186 
(Digital Signature Standard), and FIPS PUB 196 (Entity Authentication Using 
Public Key Cryptography). A key agreement / exchange standard is also in 
preparation. 

NIST is also developing the Advanced Encryption Standard (AES), which 
though not a public-key standard, is clearly a major achievement in terms of the 
synergy between standards development and research in cryptography. 

2.5 Differences and Coordination 

The four organizations, though developing standards based on related technol- 
ogy, have significant differences. ISO/IEC JTCl SC27 and IEEE P1363 focus 
more on cryptographic building blocks and leave a fair amount of flexibility. 
ANSI X9F1 is oriented toward U.S. banking requirements and includes con- 
siderations relevant to auditing and validation of security components. NIST 
is oriented toward U.S. government requirements for unclassified data. These 
differences result in generally related but not necessarily compatible results. 

Despite the differences, there is significant coordination. IEEE P1363 and 
ANSI X9FI have overlapping membership and an informal understanding that 
ANSI X9FI will adopt or “profile” IEEE P1363 specifications to meet banking 
requirements (although the reverse is also occurring, where IEEE PI363 general- 
izes some of the ANSI X9F1 specifications). NIST has stated that it will accept 
new ANSI X9FI standards for government purposes, in addition to its existing 
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Digital Signature Standard, FIPS 186. (Interestingly, ANSI X9F1 had previously 
adopted FIPS 186 as the basis for ANSI X9.30.) ANSI X9F1 documents are pro- 
moted into the international standards process through the banking standards 
committee ISO TC68, which has some coordination with ISO/IEC JTCl SC27. 



2.6 Related Efforts 

Another standards effort of interest is the Public-Key Cryptography Standards 
(PKCS) series (www.rsa.com/rsalabs/pubs/PKGS/) coordinated by RSA Lab- 
oratories. PKCS builds consensus among an informal, international audience of 
cryptography developers and is intended as a catalyst for more formal standards 
development. PKCS also follows the three-family model, with the RSA algorithm 
(IF family) covered in PKCS #1, Diffie-Hellman (DL family) in ^3, and the EC 
family in the proposed #13. 

Also of particular interest today are the standards being developed in the 
security area of the Internet Engineering Task Force (www.ietf.org), many of 
which involve public-key protocols. Some of the more notable efforts are Public- 
Key Infrastructure (X.509) (pkix), S/MIME Mail Security (smime), IP Security 
Protocol (ipsec) and Transport Layer Security (tls). 

3 A General Model for Public-Key Standards 

As standards for public-key cryptography have emerged, a classification of the 
types of public-key techniques has been developed as well. The classification, a 
result of attempts to specify public- key techniques in a common manner, provides 
a natural framework or model for new standards development, as well as for 
research into new techniques. 

The primary characteristic of the model is the separation of public-key tech- 
niques into two “levels”: primitives and schemes. Primitives are basic mathemat- 
ical operations like RSA encryption, c = to® mod n. Schemes are sets of related 
operations combining primitives with additional techniques, like signature oper- 
ations that involve the additional technique of hashing. Primitives are intended 
for low-level implementation as in a crypto-accelerator, schemes are intended as 
components of high-level application protocols and services. In addition, schemes 
are intended to be “secure” on all messages they process, whereas primitives are 
assumed to be difficult to compute (or invert) only on average. 

As examples of schemes and primitives, some techniques from IEEE PI 363 
will be mentioned. Background on the P1363 naming convention will be helpful 
here. The general form of a P1363 name consists of three fields: 

family type — instance 

where family is the two-character designation for the underlying hard problem 
(DL, EC or IF); type is a two- to four-character shorthand for the type of tech- 
nique, and instance is the name of a particular instance of the given type. 
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With the focus on PI 363, protocols are not covered in the general model 
presented here. Examples of protocols include entity authentication protocols 
where one party verifies another party’s presence, and key establishment proto- 
cols where parties agree on or exchange a session key. Such protocols can readily 
be built out of the various schemes, and in general can be built in a generic fash- 
ion where it is only the type of scheme that matters, not the specific scheme. 
For instance, it is possible to build an entity authentication scheme from any 
signature scheme. Thus protocols need not be defined in terms of basic mathe- 
matical operations, which further justifies the separation between primitives and 
schemes. 

3.1 Primitives 

A primitive is a basic mathematical operation from which other cryptographic 
techniques can be built. By itself, a primitive provides a degree of computational 
security in that it may be difficult on average to compute a primitive (or perhaps 
to invert one) without access to a certain key. 



Types of Primitive The following types of primitive are defined in P1363. 
Secret value derivation. A secret value derivation primitive (denoted SVDP) 
combines one or more private keys with one or more public keys to produce a 
secret value. The same secret value can be obtained by combining the corre- 
sponding public keys with the corresponding private keys. 

Secret value derivation is relatively new terminology, being introduced in 
PI 363 for specifying basic operations like the Diffie-Hellman step that combines 
one party’s public key, say ?/b, with another party’s private key, say XA^ to 
compute a value zab = (the exponentiation being performed in some group) . 
Other aspects of Diffie-Hellman such as how keys are derived from the value zab 
or how the public/private key pairs are managed, are more properly parts of a 
scheme or protocol. The primitive isolates the basic mathematical part. 

Secret value derivation primitives in P1363 include the following: 

— DLSVDP-DH, basic Diffie-Hellman [9] 

— DLSVDP-DHC, Diffie-Hellman with cofactor multiplication (see [15]), which 
protects against certain chosen-public- key attacks [20,17] 

— DLSVDP-MQV, Menezes-Qu-Vanstone secret value derivation, involving 
two key pairs per party [15] 

— DLSVDP-MQV, MQV with cofactor multiplication 

— ECSVDP-DH, ECSDVP-DHC, ECSVDP-MQV, and ECSVDP-MQV, the 
elliptic curve analogs of the preceding primitives 

Only the DL and EC families have secret value derivation primitives, an advan- 
tage of having common domain parameters to be shared among parties. 
Signature and verification. A signature primitive (SP) processes a mes- 
sage representative (an input that contains information about a message, such 
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Family \ Type 


SVDP 


SP / VP 


EP / DP 


DL 


DH, DHC, MQV, MQVC 


NR, DSA 


— 


EC 


DH, DHC, MQV, MQVC 


NR, DSA 


— 


IF 


— 


RSAl, RSA2, RW 


RSA 



Table 4. Primitives in IEEE P1363, by family and type. 



as the hash of the message) with a signer’s private key to produce a signature. 
A corresponding verification primitive (VP) processes the signature with the 
signer’s public key to recover the message representative, or processes the signa- 
ture and the message representative to verify the signature. (In the former case, 
the primitive is said to have a message recovery capability.) 

Signature and verification primitives in P1363 include: 

~ DLSP-NR / DLVP-NR, Nyberg-Rueppel signatures [23]; these have a mes- 
sage recovery capability 

- DLSP-DSA / DLVP-DSA, generalizations of the NIST FIPS 186 Digital 
Signature Algorithm [22] 

- ECSSP-NR / ECVP-NR and ECSP-DSA / ECVP-DSA, the elliptic curve 
analogs of the preceding primitives 

- IFSP-RSAl / IFVP-RSAl, basic RSA [28] 

- IFSP-RSA2 / IFVP-RSA2, basic RSA with an “absolute value” step that 
saves one bit, as in ISO/IEC 9796 and ANSI X9.31 

- IFSP-RW / IFVP-RW, Rabin-Williams signatures [26,31] with the one-bit 
savings 

Encryption and decryption. An encryption primitive (EP) processes a mes- 
sage representative with a recipient’s public key to produce a ciphertext. A 
corresponding decryption primitive processes the ciphertext with the recipient’s 
private key to recover the message representative. 

There is just one pair of encryption and decryption primitives: 

- IFEP-RSA / IFDP-RSA, basic RSA 

Encryption in the other families is typically based on secret value derivation 
primitives, so only the latter type of primitive need be defined for the DL and 
EC families. 

To summarize. Table 4 lists the primitives according to family and type. 

Examples DLSP-DSA generates a signature (r, s) from a message representa- 
tive m with a private key (p, q, g, x). (The meaning of the individual items is not 
significant to this discussion — but the notation differs from P1363 to be more 
consistent with the original DSA specification [22].) DLSP-DSA computes the 
signature (r, s) as 

r <— {g^ mod p) mod q 
s <— k~^{m + xr) mod q 
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where {k,g^ mod p) is a freshly generated DL key pair. DLVP-DSA verifies the 
signature by computing 

Ml ^ ms~^ mod q 
U 2 <— mod q 



and then comparing 

? 

r = mod p) mod q. 

(Some testing for nonzero values is also included in the primitives.) The 
EC/DLSSA signature scheme is built from these primitives. 

Other primitives in P1363 have a similar flavor, consisting of modular arith- 
metic and other group operations. 



Implementation Primitives are likely to be implemented as low-level com- 
ponents of a system, for instance as functions interfacing to a cryptographic 
accelerator in a smart card. They are generally not directly accessible to appli- 
cations, particularly since “raw” access to a primitive may provide a means of 
compromising a private key. Moreover, because a primitive is a mathematical 
operation, it may have properties that lead to potential attack if the primitive 
is employed directly to protect data. In addition, a primitive, being a basic op- 
eration, is limited in terms of the size of messages it can process. Because of the 
mathematical properties and the message size limitation, a primitive needs to 
be combined with other techniques in a scheme, as described next. 



3.2 Schemes 

A scheme is a set of related operations combining one or more primitives with 
additional techniques to enhance security and, possibly, to handle messages of 
arbitrary size. A scheme is intended to be secure for all messages it processes. 



Types of Scheme Four types of scheme are defined in P1363. Each has one 
or two related operations, in addition to key management operations mentioned 
further below. 

Key agreement. A key agreement scheme (KAS) includes a key agreement 
operation by which two parties can agree on a shared secret key. The key agree- 
ment operation typically combines a secret value derivation primitive with a key 
derivation function, where the key derivation function maps shared secret values 
produced by the primitive to one or more shared secret keys. 

Key agreement schemes in P1363 include DL/ECKAS-DHl, based on Diffie- 
Hellman with one key pair per party; DL/ECKAS-DH2, with two key pairs 
per party (see [5] for some security analysis); and DL/ECKAS-MQV, based on 
MQV. Similar to the situation with primitives, only the DL and EC families 
have a key agreement scheme. Key agreement protocols can be defined for any 
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of the families, however, building on an encryption scheme in the case of the IF 
family. 

Signature. A signature scheme includes a signature generation operation and 
a signature verification operation by which parties can verify the origin and 
integrity of a message. There are two flavors. In a signature scheme with appendix 
(SSA), a signature is provided to a verifier separate from the message. In a 
signature scheme with message recovery (SSR), the message is recovered from 
the signature. The operations combine signature and verification primitives with 
an encoding method for signatures, where the encoding method maps between 
arbitrary length messages and message representatives. Examples of encoding 
methods include a hash function and a hash function with padding. 

Signature schemes in P1363 include DL/ECSSA, IFSSA, and IFSSR, each a 
general signature scheme combining primitives in the families with an encoding 
method. Signature schemes with message recovery for the DL and EC families 
are the subject of further work. 

Encryption. An encryption scheme (ES) includes an encryption operation and 
a decryption operation by which parties can protect a message from disclosure. 
An authenticated encryption scheme can also verify the integrity of a message 
and can bind it to certain non-secret “control information” (see [13] for dis- 
cussion). The operations combine encryption and decryption primitives with an 
encoding message for encryption. 

There is just one encryption scheme in P1363, IFES, based on RSA. Encryp- 
tion schemes for other families are the subject of further work. 

The selection of encoding methods and key derivation functions is a delicate 
matter, as these additional techniques must address mathematical properties of 
the primitives and also be internally secure. For instance, an encoding method 
for signatures must produce a message representative in a way that overcomes 
any mathematical properties of the signature primitive. It must also be difficult 
to find two messages with the same message representative, or a messages with 
a given message representative. The internal properties are the ones most often 
studied for such encoding methods, but the mathematical considerations are 
also an appropriate area for research. (In fact, both are addressed together in 
the most recent encoding methods, such as OAEP [2] and PSS [3].) 

Key management operations for the various schemes include key generation, 
key validation (terminology proposed by Don Johnson in a contribution to ANSI 
X9F1), and, depending on the family, domain parameter generation and domain 
parameter validation, where domain parameters are components common to a 
set of key pairs, such as an elliptic curve group in the EC family or a prime in 
the DL family. The validation operations, which are optional in P1363, are for 
verifying that a public key or a set of domain parameters satisfies its definition. 
The key management operations are complementary to the other operations in 
the schemes in the sense that they produce (and optionally verify) the keys that 
are input to the related scheme operations. (How parties obtain one another’s 
public keys is a separate matter.) 

Table 5 summarizes the schemes according to family and type. 
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Family \ Type 


KAS 


SSA 


SSR 


ES 


DL/EC 


DHl, DH2, MQV 


DSA, NR 


open 


Open 


IF 


— 


RSA, RW 


RSA, RW 


RSA 



Table 5. Schemes in IEEE PI 363, by family and type. 



Example An example scheme, building on the DSA primitive from the previous 
discussion, is DL/ECSSA, a signature scheme with appendix for the DL and EC 
families. DL/ECSSA is “generic” in that it can be based on any pair of DL and 
EC signature and verification primitives and any encoding method consistent 
with the primitives. It has six operations: the four key management operations, 
the signature generation operation, and the signature verification operation. The 
latter two are described here. 

DL/ECSSA signature generation generates a signature (r, s) from a message 
M with a private key S. (For DLSP-DSA the private key would have the form 
{p,q,g,x) as above, though again meaning of the individual items is not sig- 
nificant to this discussion.) The operation computes the signature (r, s) by the 
following steps: 

1. Apply the message encoding method to compute a message representative 
from the message: m = Encode(M). 

2. Apply the signature primitive to the message representative and the private 
key to produce a signature: (r, s) = DLSP-DSA(S', M). 

DL/ECSSA signature verification verifies the signature with a public key 
V by these steps (for a primitive such as DLVP-NR with a message recovery 
capability the steps would be somewhat different): 

1. Apply the message encoding method to compute a message representative 
from the message: m = Encode(M). 

2. Apply the verification primitive to the message representative, the signature, 
and the public key to verify the signature: DLVP-DSA(1/, M, (r, s)). 

Implementation Scheme operations might be found as “mid-level” compo- 
nents, such as modules in a cryptographic service provider or library. They will 
typically be directly accessible to applications, in contrast to primitives. A se- 
quence of scheme operations can then be carried out by an application, along 
with other message processing, in the form of a key establishment, entity au- 
thentication, or other security protocol. 

4 Are “Strong Primes” Needed for RSA? 

Standards development can place new requirements on existing cryptographic 
systems, challenging assumptions about what is necessary for security. An ex- 
cellent example is found in the ongoing debate about whether so-called “strong 
primes” are needed for the RSA public- key cryptosystem. 
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4.1 1980s: Yes 

The security of the RSA public-key cryptosystem depends, in part, upon the 
difficult of factoring large integers that are the product of two primes. A number 
of methods are available for solving this problem of integer factorization. Some 
are “general purpose” in that they apply equally well to all integers of a given 
size. Others are “special purpose,” operating more effectively when the integer 
or its factors have a certain form. 

One special-purpose method of particular interest is Pollard’s P —1 Method 
[25]. This method can factor an RSA modulus n = pq in about r operations 
where r is the largest prime factor of p — 1. Because of this, it was recommended 
in the 1980s that a modulus be constructed so that the largest prime factors 
of p — 1 and q — 1 are large, say at least 100 bits long. Other special-purpose 
methods lead to other sets of strong prime conditions, such as “P-|- 1” conditions 
and “r — 1” conditions (r being the large factor of P — 1). “Strong primes” are 
primes satisfying one or more of these conditions. 

One standard developed during the 1980s, ITU-T (then CCITT) Recommen- 
dation X.509 (1988) [7], includes a number of these conditions in its description 
of RSA key generation. Strong primes are easy to generate: Gordon [11] gives 
a method for generating strong primes with only a small overhead compared to 
generation of random primes. 



4.2 Early 1990s: No 

Although strong primes were easy to generate and protected against certain at- 
tacks, were they necessary? This was the subject of an unpublished paper by 
Rivest in the early 1990s [27] (see also [29]). To resist general-purpose meth- 
ods, the paper argued, the prime factors of an RSA modulus would need to 
be reasonably large. If the primes were sufficiently large and were generated at 
random, the paper continued, the primes would with high probability resist the 
various special-purpose methods as well, so strong prime conditions would add 
no protection in practice. At most, they gave a false sense of security. 

This point became particularly clear with the development of the Generalized 
Number Field Sieve (GNFS) [6], which by increasing the required size of RSA 
moduli to resist a certain level of attack, made the special-purpose methods even 
less relevant. 

The development that perhaps most convincingly argued against the need for 
strong primes (and for the need for large ones) was the Elliptic Gurve Method 
(EGM) [16]. EGM, unlike the P —1 Method and other previous special-purpose 
methods, is equally effective on all primes of a given size. No special conditions 
on a prime, other than size, can defend against it. Thus, in a certain sense, every 
prime of a given size is a “weak prime” — including even primes strong against 
the P —1, P-l- 1 and all other previous methods. Of course, primes large enough 
to resist GNFS will resist EGM as well. 

By the mid-1990s, then, it seemed that standards for the RSA public-key 
cryptosystem should no longer include conditions on the primes, other than that 
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they be sufficiently large and random. Implementations should be able to include 
such conditions during RSA key generation, but to impose a general requirement 
no longer seemed necessary. The debate about whether an RSA modulus could 
be “weak” appeared settled. 

4.3 Late 1990s: Maybe? 

Another debate, however, was just beginning. Although a large random prime 
would resist attacks against outside opponents, what if a user deliberately gen- 
erated a prime that was not random or not large enough? Indeed, what if the 
user deliberately generated a prime that was weak against the P — 1 method? 
The user could do so by repeatedly generating RSA key pairs until one of the 
primes output as part of the RSA private key was obviously weak. (To detect 
the weakness, the user need only try to factor p — 1 or g — 1, perhaps by ECM.) 
A user might be motivated to do this if the user later could claim that, because 
the prime was weak, the resulting RSA modulus could easily be factored. The 
user could thereby attempt to repudiate a previously verified signature. 

On the one hand, it was argued that a user would have a difficult time 
convincing a judge that the supposed weakness was the result of chance. Since 
it is unlikely that a random prime would be weak against the P — 1 method, the 
claim would seem suspicious, particularly as to why an opponent would choose 
this one RSA modulus to factor with the P — 1 method without knowing in 
advance whether the effort would succeed. (Although the user could know in 
advance whether a modulus could be factored by the P — 1 method, there is no 
way for an outsider to determine this without actually trying to factor it.) 

On the other hand, it was pointed out that the mere possibility that such a 
ruse might succeed was sufficient justification to prevent it. 

In any case, a general consensus was emerging by the late 1990s that it was 
important to consider not only security against outside opponents, but security 
against insiders — the users — when constructing requirements for key genera- 
tion. 

This debate, which played out in the final stages of the development of ANSI 
X9.31, makes it clear that assumptions about what is necessary for security 
are continually evolving. (The verdict: ANSI X9.31 would require strong prime 
conditions.) It also raises some nice research problems about how users can prove 
their keys are properly generated, a topic which is considered further in the next 
section. 



5 Research Areas 

As already established, research in cryptography eventually finds its way into 
standards, though perhaps not necessarily as originally intended. Standards de- 
velopment likewise motivates additional research. 

As an example, consider Table 5. As part of standards development, it became 
clear that certain types of techniques were better established in one family than 
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in another. This provided motivation for finding new techniques in the other 
families. Or consider the strong primes debate. The question about whether 
strong primes were necessary, cast in the new light of nonrepudiation, raised 
issues about proving that public keys satisfy certain properties. Most research is 
influenced in one way or another by application requirements, and standards, by 
defining a class of applications, thus have a significant impact on new research. 

(As a side note, perhaps the most compelling example of how standards 
development can influence research can be found in the significant body of re- 
search surrounding the analysis of the Data Encryption Standard [21] and the 
development it is successor, the Advanced Encryption Standard.) 

As it would have been difficult to cover all the standards involving public-key 
cryptography, so it is difficult to cover all the research problems motivated by 
those standards. However, four research areas have been particularly prominent 
in the development of P1363 and its addendum, P1363a, and these are described 
in further detail next. 



5.1 Key Validation 

As discussed above in the context of the strong primes issue, it can be important 
to have assurance that a public/private key pair has certain properties. More 
fundamentally, it can often be important to know that a given public key is, in 
fact, a public key. 

There is an interesting definitional issue here. When specifying a crypto- 
graphic primitive, one usually assumes that public keys are valid; as validation 
may be expensive and can be performed elsewhere, there is little reason to specify 
the behavior of a primitive on an invalid public key. When specifying a protocol, 
however, one can no longer make this assumption. Thus, the definition of “public 
key” varies according to the type of technique. The transition between differ- 
ent types of technique, say a protocol and a primitive, can introduce potential 
security risks due to misunderstanding about whether a key is valid or not. 

Public-key validation is primarily of interest in key agreement schemes, 
which combine one user’s public key with another user’s private key in a secret 
key derivation primitive. Effectively, this combination can open the door to a 
“chosen-public-key attack” where an opponent, by supplying an invalid pub- 
lic key, may be able to extract information about a private key. (The “small 
subgroup” attacks on the Difhe-Hellman and related primitives observed by Van- 
stone [20] and by Lim and Lee [17] illustrate the risks involved.) Key validation 
is one of the countermeasures to these concerns. 

In encryption and signature schemes, public- key validation provides an addi- 
tional level of assurance, but is less important than for key agreement schemes 
since there is no direct counterpart to the “chosen-public-key attack.” (Chosen- 
message and chosen-ciphertext attacks are of greater concern.) One example of 
added assurance is that public-key validation can defend against the possibility 
that a user might repudiate a signature on the basis that the user’s public key 
is invalid. 
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As one area for research, then, it would be worthwhile to refine existing 
security models to accommodate the possibility that public keys might be invalid. 
Such models could account for the possibility that a user might repudiate a 
signature, and issues such as when key validation is necessary could be addressed. 

A user may perform key validation directly, or a perhaps rely on a certifi- 
cate authority to perform key validation as part of issuing a certificate. The 
particular validation method depends on the type of key. For DL and EC public 
keys, validation involves a straightforward check that the public key satisfies its 
definition — that is, that the public key has the correct order in an intended 
group. This assumes, of course, that the correct order and the intended group, 
which are part of the DL or EC domain parameters, have also been validated, a 
process that can be carried out separately. 

An alternative to a direct check of a public key’s validity is an interactive 
proof of knowledge of the corresponding private key such as the one given by 
Chaum et al. [8]. 

For IF public keys, validation is more difficult. (As mentioned above, however, 
the need for validation of IF public keys is less pronounced, since there is no 
direct “chosen-public-key” attack.) No method is known, for instance, by which 
a user can check whether an RSA modulus is a product of two primes of similar 
size. A user can check whether a modulus is composite, of course, but to verify 
the number of primes involved appears to require an interactive proof with the 
holder of the prime factors such as the one given by van de Graaf and Peralta 
[30]. 

Recently, several techniques have been developed for proving additional prop- 
erties about IF public keys. Liskov and Silverman give an interactive proof for 
the size of the prime factors [18]; Mao presents an alternate proof [19]. The proof 
given by Gennaro, Micciancio and Rabin [10] shows that there are two primes 
involved, each occurring exactly once as a factor for a certain class of moduli. 
The techniques can likely be improved, and further research on this problem is 
well motivated. 



5.2 New Encryption Schemes 

Another area of research interest concerns improvements to encryption schemes. 
In P1363, there is only one encryption scheme, IFES, based on the RSA encryp- 
tion primitive. Schemes for the DL and EG families were not included since there 
were no established techniques in practice, and since it was possible to establish 
keys for conventional encryption schemes through the use of the DL and EG key 
agreement schemes. 

Related to the broadening of encryption schemes to include the other families 
is the broadening of the schemes to include potentially larger messages. IFES, 
as defined, limits the size of the message it can encrypt to slightly less than 
the size of the RSA modulus. This is generally not a problem in practice as 
the RSA modulus is typically 96 bytes or more and the message is typically a 
symmetric key of 16 bytes or less, though further flexibility would be helpful. 
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A straightforward approach to EC encryption, however, would combine a 16- 
byte key with a secret value that is (say) 20 bytes long. This leaves little room 
for padding and other enhancements that may be necessary for security, and 
motivates further research on how to construct DL and EC schemes. 

New and better encryption schemes for all three families were thus identified 
as a research objective during the development of P1363, and several contribu- 
tions resulted that are now being considered for inclusion in PI 363a (a full list 
of contributions can be found through the P1363 Web page). As this is still a 
relatively new area of research, further review and additional contributions are 
definitely welcome. 

5.3 New Signature Schemes 

The situation with signature schemes in P1363 is somewhat more complete than 
with encryption schemes, as there is at least one scheme for each family. However, 
here as well there is need for additional research, as only one of the families has a 
signature scheme giving message recovery, and as the latest results on “provable 
security” (e.g. [24]) have not yet been incorporated. In addition, the one signature 
scheme with message recovery, IFSSR, has a relatively older design. More recent 
schemes, such as PSS [3], have better security proofs. 

For the DL and EC families, signature schemes with message recovery could 
be based on the Nyberg-Rueppel signature primitive, since it supports message 
recovery. A challenge here is that the verification primitive (DLVP-NR or ECVP- 
NR) can only recover a relatively small message — typically 20 bytes. Any 
redundancy necessary for security would further limit the size of the message. 

The recent discussion on “target-collision-resistant” hash functions [4] can 
also provide insight into the appropriate design of new signature schemes. 

5.4 Provable Security 

“Provable” security, of course, remains a continual objective — whether a better 
understanding of the complexity of an underlying hard problem or an assurance 
of the connection between that hard problem and a particular cryptosystem. 
Proofs for primitives, schemes, and protocols are all important; the last of the 
three is perhaps the most important in practice, since it is through actual pro- 
tocols that parties (including opponents) most often interact with one another. 
Since proofs of protocol security depend on security of the underlying schemes 
and primitives, however, security analysis for the other two levels is important 
as well. 

The random oracle model [1] has provided significant insight into the design 
and security proof of schemes, but it has limitations, namely that in practice, 
the random oracle in the construction is instantiated with a particular method 
such as a hash function. Security proofs in the random oracle model generally 
contemplate a generic attack that works for any instantiation. In practice, one 
would like assurance about specific attacks involving a particular hash function as 
well (although, certainly, the absence of a generic attack is itself quite assuring). 



102 



Burton S. Kaliski Jr. 



As an example, one might ask how security results about RSA bits [12] apply to 
the OAEP construction [2] . Further research into “instantiated security” is thus 
another desirable research topic. 

6 Conclusion 

With all the standards development around public-key cryptography, it is clear 
that the technology has matured significantly, but story is far from over. Im- 
provements to existing techniques, new techniques, and perhaps even completely 
different approaches are to be expected. 

A lesson learned for future development is the importance of collaboration 
between research and standards. Inasmuch as standards are “best practice,” they 
are an excellent avenue for applying research, and their continued success de- 
pends on ongoing research. Basic research in cryptography and the development 
of standards are thus quite closely related. Though in the past the efforts have 
been separated by a decade or more, hopefully, in the future, they will proceed 
more closely in step, as the promising results of additional knowledge continue 
to be made available for everyday use. 
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Abstract. This paper considers modern secret-key block ciphers. The 
theory behind the design and analysis of modern block ciphers is ex- 
plained, and the most important known attacks are outlined. Finally the 
Advanced Encryption Standard is discussed. 



1 Block Ciphers - Introduction 

In the last few thousands of years encryption algorithms, also called ciphers, have 
been developed and used [18,28]. Many of the old ciphers are much too weak to 
be used in applications today because of the tremendous progress in computer 
technology. There are essentially two types of cryptosystems, one-key and two- 
key ciphers. In one-key ciphers the encryption of a plaintext and the decryption 
of the corresponding ciphertext is performed using the same key. Until 1976 when 
Diffie and Heilman introduced public-key or two-key cryptography [20] all ciphers 
were one-key systems, today called conventional or classical cryptosystems. Con- 
ventional cryptosystems are widely used throughout the world today, and new 
systems are published frequently. There are two kinds of one- key ciphers, stream 
ciphers and block ciphers. In stream ciphers, typically a long sequence of bits is 
generated from a short string of key bits, and is then added bitwise modulo 2 to 
the plaintext to produce the ciphertext. In block ciphers the plaintext is divided 
into blocks of a fixed length, which are then encrypted into blocks of ciphertexts 
using the same key. The interested reader will find a comprehensive treatment 
of early cryptology in [28] . 

A block cipher is called an iterated cipher if the ciphertext is computed by 
iteratively applying a round function several times to the plaintext. In each round 
a round key is combined with the text input. In other words, let G be a function 
taking two arguments, such that, it is invertible when the first argument is fixed. 
Then define 

G, = G(iT„G,_i), 

where Gq is the plaintext, Ki is the ith round key, and Cr is the ciphertext. 
A special kind of iterated ciphers are the Feistel ciphers. A Feistel cipher with 
block size 2n and r rounds is defined as follows. Let Cq and Cq be the left and 
right halves of the plaintext, respectively, each of n bits. The round function G 
operates as follows 

= ct, 

Gf = F(iL„G«i)+Gf_i, 

I. Damgard (Ed.): Lectures on Data Security, LNCS 1561, pp. 105—126, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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and the ciphertext is the concatenation of and C^. Note that F can be any 
function taking as arguments an n-bit text and a round key Ki and producing 
n bits. '+’ is a commutative group operation on the set of n bit blocks. For the 
remainder of this paper we will assume that ‘+’ is the exclusive-or operation 
(©). 

The Data Encryption Standard (DES) [55] is by far the most widely used it- 
erated block cipher today. Around the world, governments, banks, and standards 
organisations have made the DES the basis of secure and authentic communica- 
tion [65]. The DES is a Feistel cipher. However, the key size and the block size of 
the DES have become too small. Therefore the National Institute of Standards 
and Technology (NIST) in the U.S.A. has initiated the process of developing and 
to standardise a new encryption algorithm, the Advanced Encryption Standard 
(AES) [57], as a replacement for DES. This work is ongoing as this paper is 
written. 

The remainder of this paper is organised as follows. § 2 lists and discusses 
the modes of operation for block ciphers used for encryption. § 3 discusses the 
theoretical and practical security of block ciphers. The most important methods 
of cryptanalysing block ciphers are given in § 4. § 5 discusses design principles of 
block ciphers and §6 reviews how to strengthen the DES. In §7 the Advanced En- 
cryption Standard is discussed and some conjectures are made, and § 8 contains 
concluding remarks. 



2 Modes of Operations 

The most obvious and widespread use of a block cipher is for encryption. In 1980 
a list of four modes of operation for the DES was published [56] . These four modes 
can be used with any block cipher and seem to cover most applications of block 
ciphers used for encryption [18]. In the following let Ek{-) be the permutation 
induced by using the block cipher E of block length n with the key K and 

let Pi,P2, ,Pi,--- be the blocks of plaintexts to be encrypted. The Electronic 

Code Book (ECB) is the native mode, where one block at a time is encrypted 
independently of the encryptions of other blocks, Ci = ExiPi), Pi = ExiCi). In 
the Cipher Block Chaining (CBC) mode the encryption of a block depends on 
the encryptions of previous blocks. Ci = Ex{Pi © Q-i), Pi = Dx{Ci) © Ci_i, 
where Co is a chosen initial value. The Cipher Feedback (CFB) mode is a stream 
cipher mode, where one m-bit character at a time is encrypted. 



C, = P,®MSBm{Ex{X{)) 

= LSB„_^(Ad II C, 

where X\ is a chosen initial value, || denotes concatenation of blocks, MSB^ and 
LSBg denote the s most and least significant bits respectively or equivalently the 
leftmost and rightmost bits respectively. Decryption is similar to encryption. 
Here m can be any number between 1 and the block length of the cipher. If 
the plaintext consists of characters, to = 7 or to = 8 is usually the well-chosen 
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parameter. The Output Feedback (OFB) mode is a second stream mode, where 
the stream bits are not dependent on the previous plaintexts, that is, only the 
stream bits are fed back, not the ciphertext as in CFB mode. 



a = Pi®MSBm{EK{X,)) 

= LSB„_^(X,) II MSB^{Ek{X,)) 



where Xi is a chosen initial value. Decryption is equal to encryption. Both the 
CFB and OFB modes have two parameters, the size of the plaintext block and 
the size of the feedback value. In the above definition we have chosen them equal 
and will do so also in the following. 

The ECB is the native mode, well-suited for encryption of keys of fixed 
length. It is not suited for the encryption of larger plaintexts, since equal blocks 
are encrypted into equal blocks. To avoid this, the CBC mode is recommended. 
Not only does a current ciphertext block depend on the current plaintext but 
also on all previous ciphertext blocks. In some applications there is a need for 
encryptions of characters, instead of whole blocks, e.g., the 8 bytes for the CBC 
mode of DES. For that purpose the CFB and OFB modes are suitable. It is often 
recommended to use the OFB mode only with full feedback, i.e., with m = n 
(64 for the DES). It comes from the fact, that for m < n the feedback function 
is not one-to-one, and therefore has a relatively short cycle [18] of length about 



An important issue in the applications of the four modes is how an error in 
the transmission of ciphertexts is propagated. In the ECB mode an error in a 
ciphertext block affects only one plaintext block. A lost ciphertext block results 
in a lost plaintext block. An error in a ciphertext block in the CBC mode affects 
two plaintexts blocks. As an example, assume that ciphertext C3 has an error and 
that all other ciphertext blocks are error-free, then P4 = Dk{C4)®Cz inherits the 
error from C3 and P3 = Ek{C^)(BC2 will be completely garbled. Here we assume 
that even a small change in the input to the block cipher will produce a randomly 
looking output . All other plaintexts will be decrypted correctly. A lost ciphertext 
block results in a lost plaintext block and an error in one addition plaintext 
block after which the mode synchronises itself. In the CFB mode an error in a 
ciphertext block Ci will be inherited by the corresponding plaintext block and 
moreover since contains the garbled Ci the subsequent plaintexts blocks 

will be garbled until the X value is free of Ci, i.e., when Ci has been shifted 
out. In other words in CFB mode with m-bit ciphertexts, at most n/m+l 
plaintext blocks will be garbled. The case of lost ciphertext blocks is similar to 
that of the CBC mode. In the OFB mode, since the feedback is independent of 
the plaintexts and ciphertexts, a transmission error in a ciphertext block garbles 
only the corresponding plaintext block and is not propagated to other plaintext 
blocks. On the other hand, a lost ciphertext block will result in an infinite error 
propagation. 
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3 Security of Secret-Key Block Ciphers 

When discussing the security of cryptographic systems one needs to define a 
model of the reality. We will use the model of Shannon [64]. The sender and 
the receiver share a common key K, which has been transmitted over a secure 
channel. The sender encrypts a plaintext P using the secret key K, sends C 
over an insecure channel to the receiver, who restores C into P using K. The 
attacker has access to the insecure channel and can intercept the ciphertexts 
(cryptograms) sent from the sender to the receiver. In this section we assume 
that the legitimate sender and receiver use a secret-key cipher Ek{-) of block 
size n (bits), where the key K is of size k. To avoid an attacker to speculate 
in how the legitimate parties have constructed their common key, the following 
assumption is made. 

Assumption 1. All keys are equally likely and a key K is always chosen uni- 
formly random. 

Also we will assume that all details about the cryptographic algorithm used by 
the sender and receiver are known to the attacker, except for the secret key. This 
assumption is known as Kerckhoffs’s Assumption [28]. 

Assumption 2. The enemy cryptanalyst knows all details of the enciphering 
process and deciphering process except for the value of the secret key. 

For a fixed key, a block cipher is a permutation. There are totally 2"^ possible 
n-bit permutations. Thus, it would require k = n2” bits to specify all of them. 
With a block size of 64 bits or more this is a huge number. In a practical block 
cipher, the key size is much smaller, typically k = 128 or k = 256. A block cipher 
(system) with a fc-bit key and blocks of n bits can be seen as an algorithm of 
how to select and specify 2^ of all 2"^ n-bit permutations. 



3.1 Classification of Attacks 

The possible attacks an attacker can do are classified as follows. 

— Ciphertext- only attack. The attacker has obtained a set of intercepted ci- 
phertexts. 

— Known plaintext attack. The attacker obtains Pi, P 2 , ..., Pg a set of s plain- 
texts and the corresponding ciphertexts Ci, C 2 , ..., C^. 

— Chosen plaintext attack. The attacker chooses a priori a set of s plain- 
texts Pi, P 2 , ..., Pg and obtains in some way the corresponding ciphertexts 
Ci,C2,...,Cg. 

— Adaptively chosen plaintext attack. The attacker chooses a set of plain- 
texts P\, P 2 , Pg interactively as he obtains the corresponding ciphertexts 
Cl, C 2 , ..., Cg. That is, the attacker chooses Pi, obtains Ci, then chooses P 2 
etc. 
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— Chosen ciphertext attacks. For symmetric ciphers these are similar to those 
of chosen plaintext attack and adaptively chosen plaintext attack, where the 
roles of plain- and ciphertexts are interchanged. 

Also, one can consider any combination of the above attacks. The chosen text 
attacks are obviously the most powerful attacks. In many applications they are 
however also unrealistic attacks. If the plaintext space contains redundancy, it 
will be hard for an attacker to ‘trick’ a legitimate sender into encrypting non- 
meaningful plaintexts and similarly hard to get ciphertexts decrypted, which do 
not yield meaningful plaintexts. But if a system is secure against an adaptively 
chosen plaintext/ciphertext attack then it is also secure against all other attacks. 
An ideal situation for a designer would be to prove that her system is secure 
against an adaptively chosen text attack, although an attacker may never be 
able to mount more than a ciphertext only attack. 

3.2 Theoretical Secrecy 

In his milestone paper from 1949 [64] Shannon defines perfect secrecy for secret- 
key systems and shows that they exist. Shannon’s theory is described in many 
text books and here only a few of his results are stated. A secret-key cipher is 
perfect if for all P and all C it holds that Pr(P) = Pr(PjC) [64]. In other words, 
a ciphertext C gives no information about the plaintext. This definition leads to 
the following result. 

Corollary 1. A perfect cipher is unconditionally secure against a ciphertext- 
only attack. 

As noted by Shannon the Vernam cipher, also called the one-time pad, is a perfect 
secret-key cipher. In the one-time pad the plaintext characters are exclusive- 
ored with independent key characters to produce the ciphertexts. However, the 
practical applications of perfect secret-key ciphers are limited, since it requires 
as many digits of secret key as there are digits to be enciphered [45] . Clearly, the 
above definition of a perfect cipher makes no sense when considering known or 
chosen plaintext attacks. A less stringent form of theoretical secrecy is possible, 
in terms of the unicity distance. It is the smallest integer s such that essentially 
only one value of the secret key K could have encrypted some plaintexts to the 
ciphertexts Ci, ..., Cg. The unicity distance depends on both the key size and on 
the redundancy in the plaintext space. Redundancy is an effect of the fact that 
certain plaintext characters appear more frequently than others. However, the 
unicity distance gives no indication of the computational difficulty in breaking 
a cipher, it is merely a lower bound on the amount of ciphertext blocks needed 
in a ciphertext-only attack. The concept of unicity distance can be adapted also 
to the known or chosen plaintext scenario. In these cases the redundancy of the 
plaintexts from the attacker’s point of view is zero. Let k and n be the number of 
bits in the secret key respectively in the plaintexts and ciphertexts. If we assume 
that the keys are always chosen uniformly at random the unicity distance in a 
known or chosen plaintext attack is \k/n~\. 
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3.3 Practical Secrecy 

In the recent years cryptanalysis has been focused on finding the key it' of a 
secret-key cipher. However, there are other serious attacks, which do not find 
the secret key. In the sequel Assumption 1 is used. 

— Total break. An attacker finds the secret key K. 

— Global deduction. An attacker finds an algorithm A, functionally equivalent 
to Ek{-) (or Dk{-)) without knowing the key K. 

— Instance (local) deduction. An attacker finds the plaintext (ciphertext) of an 
intercepted ciphertext (plaintext), which he did not obtain from the legiti- 
mate sender. 

— Information deduction. An attacker gains some (Shannon) information about 
the secret key, the plaintexts or the ciphertexts, which he did not get directly 
from the sender and which he did not have before the attack. 

— Distinguishing algorithm. An attacker is able to tell whether the attacked 
cipher is a randomly chosen permutation or one of the 2^ permutations 
specified by the secret key. 

Clearly, this classification is hierarchical, that is, if a total break is possible, then 
a global deduction is possible and so on. 

A global deduction is possible when a block cipher contains a “block struc- 
ture” . If certain subsets of the ciphertext are independent of certain subsets of 
the plaintext, then no matter how long the key is, the block cipher is vulnerable 
to a global deduction in a known plaintext attack. Also, in iterated block ciphers 
the round keys are sometimes generated in a one-way fashion [62,63,15,16]. So in 
attacks, which find the round keys, it may be impossible for the attacker to derive 
the actual value of the secret key, but at the same time the round keys enable the 
attacker to encrypt and decrypt. An instance deduction can be as dangerous as 
a total break, if the number of likely plaintexts is small. Consider the situation 
where the block cipher is used for encrypting a key in a key-exchange protocol. 
Here only one plaintext is encrypted and a total break is equal to an instance 
deduction. If the plaintext space is highly redundant an information deduction 
can be a serious problem. In general, the legitimate parties are often interested 
in that no information at all about the plaintexts and keys are obtained by 
any enemies. A distinguishing algorithm is the least serious attack. Let A be an 
attack (a distinguisher), which has access to a black box which is able to com- 
pute Ek{-) for K the secret key. When asked for the ciphertexts of plaintexts 
Pi, . . . ,Pi the black box flips a coin whether to return Ek{Pi), . ■ . , ExiPi) or 
7 t(Pi), . . . , Tr{Pi) for a randomly chosen permutation tt. The attack A has to de- 
cide whether the encryptions came from Ek{-) or tt. The advantage of the attack 
is abs(Pr(A : “it is Ek{-)”\Ek{-) was used) — Pr(A : “it is Ek{-)”\tt was used)), 
that is, a number between 0 and 1. The higher the number the better the at- 
tacker’s strategy. 

In the following some trivial attacks applicable to all block ciphers are dis- 
cussed. All block ciphers are totally breakable in a ciphertext-only attack, simply 
by trying all keys one by one and checking whether the computed plaintext is 
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meaningful, using only about N^d ciphertext blocks, where Nud is the unicity dis- 
tance. This attack requires the computation of about 2^ encryptions. Also, there 
is the table look-up attack, where the attacker encrypts in a pre-computation 
phase a fixed plaintext P under all possible keys and sorts and stores all the 
ciphertexts. Thereafter the cipher is total breakable in a chosen plaintext attack 
requiring one chosen plaintext. There might be some keys encrypting P into the 
same ciphertext. Repeating the attack a few times with P' ^ P will give a unique 
key. All block ciphers are globally/instance deducible under a known/chosen 
plaintext attack. Simply get and store all possible plaintext/ciphertext pairs. 
The running time of a deduction is the time of one table look-up. 

The following result shows that a non-trivial information gain can be obtained 
when about the square root of all ciphertexts are available. 

Theorem 1 ([34]). Every n-bit block cipher used in the ECB, CBC or CEB 
mode is information deducible in a ciphertext- only attack with complexity about 

Note that the result of Theorem 1 is independent of the key size. This attack 
on CBC mode was named the matching ciphertext attack in [12]. Thus, it is 
recommended that a single key is used to encrypt at most 2"/^ ciphertext blocks. 

Heilman [24] has presented a time-memory trade-off attack on any block 
cipher, which finds the secret key after 2^^/^ encryptions using 22fc/3 words of 
memory. The 2^^/^ words of memory are computed in a pre-processing phase, 
which takes the time of 2^ encryptions. 

To estimate the complexity of a cryptanalytic attack one must consider at 
least the time it takes, the amount of data that is needed and the storage require- 
ments. For an n-bit block cipher the following complexities should be considered. 
Data complexity: The amount of data needed as input to an attack. Units are 
measured in blocks of length n. Denote this complexity Cd- Processing com- 
plexity: The time needed to perform an attack. Time units are measured as the 
number of encryptions an attacker has to do himself. Denote this complexity 
Cp. Storage complexity: The words of memory needed to do the attack. Units 
are measured in blocks of length n. Denote this complexity Cg- As a rule of 
thumb, the complexity of an attack is taken to be the maximum of the three 
complexities, that is, Ca = max{Cd,Cp,Cs). In general, there are some devia- 
tions from this rule and furthermore the three complexities are relative to the 
attacker. As an example, we may say that the above attack by Heilman on the 
DES has complexity 2^^®®/^ ~ 2^®. Although the time of the pre-computation 
phase is 2®®, it is done only once after which any DES-key can be derived with 
a complexity of 2®®. On the other hand, the storage requirements may be un- 
realistic for most attackers, e.g., the attack on the DES will require about 1000 
Gigabytes of memory. 

4 Cryptanalysis of Block Ciphers 

The history of cryptanalysis is long and at least as fascinating as the history of 
cryptography. As a single example, in 1917 in an article in “Scientific American” 
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the Vigenere cipher was claimed to be “impossible of translation” [19]. Today, 
it is an exercise in cryptology classes to illustrate that this claim is not true. 

4.1 Attacks on Iterated Ciphers 

In the following, P denotes the plaintext and C denotes the ciphertext. In most 
modern attacks on iterated ciphers, the attacker repeats his attack for all possible 
values of (a subset of) the bits in the last-round key. The idea is, that when he 
guesses the correct values of the bits of the key, he can compute bits of the 
ciphertexts after the second-last round, that is before the last round, whereas 
when he guesses wrongly, these bits will correspond to ciphertext bits encrypted 
with a wrong key. If there is a probabilistic correlation between the bits of the 
plaintexts, P, and the bits of the ciphertexts before the last round, C, denoted 
cor(P, C), an attacker might be able to distinguish the correct guesses of the 
key in the last round from wrong guesses. If this is the case, the attacker can 
peel off one round of the cipher and do a similar attack on a cipher one round 
shorter to find the second-last round key etc. In some attacks it is advantageous 
to consider the first-round key instead of the last-round key or both at the same 
time, depending on the structure of the cipher, the number of key bits involved 
in each round etc. In iterated ciphers the correlation is often found by first 
identifying a correlation between inputs and outputs of the individual rounds and 
them combining them to a correlation over several rounds. The probability of this 
correlation can be calculated as the product of the probabilities of the individual 
round correlations, if they are independent. For most ciphers this independence 
is obtained by assuming that all round keys are independent. Although this 
is most often not the case, first of all, experiments have shown [6,34,49] that 
this leads to a good approximation to the real probability, secondly there seems 
to be no other way to compute the real probability. Denote by the reduced 
cipher, the cipher that one gets by removing the first and/or the final rounds 
of the original cipher. Let P, C be the input bits and output bits respectively 
of the reduced cipher. Let K be the key bits the attacker guesses in the attack 
(note that an attacker might not need to know all input and output bits of the 
reduced cipher). If the attacker guesses K correctly, he can compute (bits of) 
P, C from P, C. Let P', C be the results the attacker obtains when he guesses K 
wrongly. The probability of success of an iterated attack depends first of all on 
whether cor(P, C) is different from cor(P',C'), at least for some wrong guesses 
of K . In most attacks on iterated ciphers, an attacker repeats the basic attack a 
number of times and counts the values of K which led to the expected cor(P, C). 
Although some attacks in the literature do not have exactly this form, they can 
be translated into this general form (at least for illustration). A similar approach 
was taken in [67]. The signal-to-noise ratio (see [6] for the differential attack) is 
the expected number of times the correct guess of the key is counted over the 
expected number of times a wrong guess of the key is counted. Earlier it was 
believed that a necessary condition for the success of an iterated attack is that 
the signal-to-noise ratio is greater than one [6] . However, it was later discovered 
[60,9] that an attack can work in two ways: when S/N > 1 one looks for the 
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most suggested value of the key, and when S/N < 1 one looks for the least 
suggested value. Attacks where S/N < 1 are in principle as good as attacks 
where S/N > 1 but do not seem easier to find in general. In the following a 
number of iterated attacks are described. Since all of them have the above form, 
it suffices to describe how to detect and obtain the correlation of bits of the 
inputs and outputs of the reduced cipher. 

4.2 Differential Cryptanalysis 

The most general method of analysing conventional cryptosystems today is dif- 
ferential cryptanalysis^ published by Biham and Shamir in 1990. The method 
has proved to be relatively efficient and has been applied to a wide range of 
iterated ciphers see e.g., [6,32]. Furthermore, it was the first attack which could 
(theoretically) recover DES keys in time less than the expected cost of exhaus- 
tive search [6,7]. In the following a brief description of differential cryptanalysis 
with respect to a general n-bit iterated cipher, cf., (1) is given. 

First, one defines a difference between two bit strings, X and X' of equal 
length as 

AX = X®{X')-\ ( 1 ) 

where 0 is the group operation on the group of bit strings used to combine the 
key with the text input in the round function and where is the inverse 

element of X with respect to 0. The idea behind this is, that the differences 
between the texts before and after the key is combined are equal, so the difference 
is independent of the key. In a strong encryption algorithm there will be some 
components which are non-linear in the 0-operation. In a differential attack one 
exploits that for certain input differences the distribution of output differences 
of the non-linear components is non-uniform. 

Definition 1 (([6])). An s-roitnd characteristic is a series of differences defined 
as an s 1-tuple {oq, oi, . . . , Os}, where AP = a^, ACi = ai for 1 < i < s. 

Define pi as the probability that inputs of difference ai-i lead to output of 
difference a^, where the probability is taken over all choices of the round key 
and the inputs to the ith round. In [44] the notion of a Markov cipher was 
introduced. In a Markov cipher this probability is independent of the actual 
inputs of the round and is calculated over all possible choices of the round key. 
Also in [44] it was shown that in a Markov cipher if the round keys Ki are 
independent, the pfs are also independent and 

S 

PffACs = as I APo = ao) = n = a, \ = a,_i). (2) 

In some differential attacks using an (r — l)-round characteristic only the plain- 
text difference AP and the last ciphertext difference ACr-i need to be fixed. 
That is, the intermediate differences ACi, AC 2 , ■ ■ ■ , ACr -2 can have any value. 
Lai and Massey introduced the notion of differentials [44]. 



114 



Lars R. Knudsen 



Definition 2. An s-round differential is a pair of differences {aojCTs}; where 
AP = ao, ACs = Os- 

The probability of an s-round differential (AP,ACs) is the conditional proba- 
bility that given an input difference AP at the first round, the output difference 
at the sth round will be ACs- More formally, the probability of an s-round 
differential is given as 

Py{ACs =P,\AP = fdo) = 

s 

E En Pr(ziQ =/?, I (3) 

/3i 01,-1 

where ACq = AP. A differential will, in general, have a higher probability than 
a corresponding characteristic. Differentials were used in [-54] to construct cipher 
secure against differential attacks. Also, for some ciphers there is a significant 
advantage in considering differentials instead of characteristics [40] . 

In a differential attack the attacker does not know the key. Therefore in find- 
ing a good differential, the attacker computes the probabilities of differentials 
assuming that all the round keys are uniformly random and independent. How- 
ever, the pairs of encryptions an attacker gets are encrypted using the same key, 
where the round keys are fixed and (can be) dependent. In [42] this problem is 
dealt with as follows 

Definition 3 ((Hypothesis of stochastic equivalence)). For virtually all 
high probability (r — 1) -round differentials (a,/3) 

Prp{ACi = ^ \ AP = a, K = k) « Prp^K{ACi = 0 \ AP = a,) 
holds for a substantial fraction of the key values k. 

In the differential attack on IDEA in [9] , it was exploited that the hypothesis 
of stochastic equivalence does not hold for IDEA reduced to 3.5 rounds. A differ- 
ential attack was mounted for which the S'/iV-ratio is one when the differential 
is averaged over all keys. When the key is fixed the S'/Wratio is different from 
one and the secret key can be recovered with sufficiently many pairs of plain- 
texts and ciphertexts. In [38] a differential attack on DEAL is described using a 
differential of probability zero. Also, recently a differential attack with S/N < 1 
on Skipjack was announced [5]. 

Experiments have shown that the number of chosen plaintexts needed by the 
differential attack in general is approximately c/p, where p is the probability of 
the differential being used and c a small constant. 



Higher Order Differentials In [43] a definition of higher order derivatives of 
discrete functions was given. Later higher order differentials were used to crypt- 
analyse ciphers presumably secure against conventional differential attacks [37]. 
In [27] these attacks were extended and applied to the cipher of [54]. A dth order 
differential is a collection of 2^ (first-order) differentials. The main idea in the 
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higher order differential attack is the fact that a dth order differential of a func- 
tion of nonlinear order d is a constant. Consequently, a d -I- 1st order differential 
of the function is zero. Assume that (a subset of) the output bits of the reduced 
cipher are expressible as a low-degree polynomial p{x) C GF {2)[xi, ai 2 , . . . , Xi], 
where x\,X 2 t ■ ■ ^Xi is a subset of input bits to the reduced cipher. If this poly- 
nomial has degree not higher than d, then ~ G ""^here £d denotes a 

d-dimensional subspace of GF(2)" and c a constant. This method was applied 
to the cipher example given in [-54]. This cipher is “provably secure” against a 
differential attack but can be broken in a higher order differential attack with 
relatively low complexity. 



Truncated Differentials In some ciphers it is possible and advantageous to 
predict the values of only parts of the differences after each round of the ci- 
pher. Let {oo, Os}, be an s-round characteristic. Then {og, . . . , 

is called a truncated characteristic, if a' is a subsequence of a^. Truncated char- 
acteristics were used to some extent in [6] but only in the outer rounds of a 
cipher. Note that a truncated characteristic is a collection of characteristics and 
therefore reminiscent of a differential. A truncated characteristic contains all 
characteristics {ag, a", . . . , a"} for which trunc(a") = a', where trunc(x) is the 
truncated value of x, where the truncation is not further specified here. The 
notion of truncated characteristics extends in a natural way to truncated differ- 
entials introduced in [37]. 

The truncated differentials were used in [39] to attack SAFER K [46,47]. Also, 
in [9] truncated differential attacks were presented on IDEA [44] and latest on 
Skipjack [5]. 



4.3 Linear Cryptanalysis 

Linear cryptanalysis was proposed by Matsui in 1993 [48]. A preliminary version 
of the attack on FEAL was described in 1992 [-51]. Linear cryptanalysis is a 
known plaintext attack in which the attacker exploits linear approximations of 
some bits of the plaintext and ciphertext. In the attack on iterated ciphers the 
linear approximations are obtained by combining approximations for each round 
under the assumption of independent round keys. The attacker hopes in this way 
to find an expression 

(P-a) = (C-/3) (4) 

where a,f3 are n-bit strings and where denotes the dot product, which holds 
with probability pi^ ^ ^ over all keys, such that \pl — called the bias, is 
maximal. As in differential cryptanalysis one can define characteristics to be 
used in linear cryptanalysis. 

The number of known plaintexts needed such that the relation (4) can be 
effectively detected is approximately \pr — 1/2]“^. The following result appears 
in [-53]. 



116 



Lars R. Knudsen 



Theorem 2. If X and K are independent and K is uniformly distributed, then 
for all a € GF(2)™, b € GF(2)” S GF{2Y 

2-^ Z! \Px{X ■a + Y{X,k) -1 = 0)- l/2\^ = 
keGF{2y 

Z I Px,k{X ■ a + Y{X, K)-b + K-c=0)-l/2\^ 

cGGF(2Y 



This theorem shows the similarity between the concept of differentials in differ- 
ential cryptanalysis and in linear cryptanalysis. An expression of the form (4) is 
called a linear hull. Note that in [48] the linear approximations have the form 
(P ■ a) = (G • /3) © (AT • 7 ), where {K ■ 7 ) is an exclusive-or of round-key bits 
accumulated in the linear characteristic. The bias of the linear approximations 
is taken as the bias of the linear characteristic used. However, such an attack 
cannot be guaranteed to work in general. If there exist linear approximations 
such that {P ■ a) = (G • /3) © (AT • 7 ), and {P ■ a) = (G • /3) © (AT • 7 ') both 
with probability p > 1/2 but where (AT • 7 ) yf {K ■ 7 '), then these two linear 
approximations may cancel the effect of each other. This was also noted in [3]. 

In Matsui’s attack on the DES, experiments indicate that the bias of the 
linear hull is equal to the bias of a single characteristic [49] . It is further confirmed 
by computer experiments that the probability of (4) is close to 1/2 when the 
value of K is wrong. It is estimated that the complexity of a linear attack on 
the DES with up to 16 rounds is about 

Npc^cx\pL- 1 / 2 J -2 

where c < 8 . The attack on the DES was implemented in 1994, required a total 
of 2^^ known plaintexts [49] and is today the fastest, known key-recovery attack 
on the DES. 

In [29] an improved linear attack using multiple linear approximations was 
given. In [41] a linear attack is shown using non-linear approximations in the 
outer rounds of an iterated cipher. For the DES none of these attacks have yet 
shown to offer an significant improvement compared to Matsui’s linear attack. 
The attacks seem best suited for attacks on ciphers with large S-boxes. 



4.4 Davies’ Attack 

In [17] a correlation attack on the DES was outlined. It exploits that the out- 
puts from neighbouring S-boxes are not uniformly distributed. The correlation 
can be iterated to any number of rounds with a corresponding decrease in the 
probability. The attack was improved in [4] and finds the secret key of the DES 
using about 2^^ known plaintexts, and is the third, known key-recovery attack 
which finds the secret key faster than by an exhaustive search. 
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4.5 Differential-Linear Attack 

In [25] it was shown how to combine the techniques of differential and linear 
attacks. The attack is a chosen plaintext attack and considers pairs of plaintexts 
and ciphertexts, the bits of which are (partly) approximated by linear approxi- 
mations. In particular, an attack on the DES reduced to 8 rounds was devised, 
which on input only 512 chosen plaintexts finds the secret key. It seems that 
the attack is not easily extended to more than 8 rounds of DES [25]. In [1] the 
differential-linear attack was applied to FEAL. The attack takes a long time, 
but only 12 chosen plaintexts are needed. 

4.6 Other Variants 

Several generalisations of the differential and linear attacks have been developed. 
In [67] a generalisation of both the differential and linear attacks, known as statis- 
tical cryptanalysis was introduced. It was demonstrated that a statistical attack 
on the DES included the linear attack by Matsui but without any significant 
improvement. The applications to other ciphers have not been demonstrated. 
In [22,23] two generalisations of the linear attack were given. However, none of 
them have yet proved to be much more efficient than the linear attack. 

4.7 Interpolation Attack 

In [27] the interpolation attack was introduced based on the following well-known 
formula. Let i? be a field. Given 2n elements xi, . . . , yi, . . . ,yn G R, where 
the XiS are distinct. Define 



/(x) is the only polynomial over R of degree at most n — 1 such that /(xi) = yi 
for i = l,...,n. Equation (5) is known as the Lagrange interpolation formula 
(see e.g., [10, page 185]). 

In the interpolation attack an attacker constructs polynomials using inputs 
and outputs of the reduced cipher. This is particularly easy if the components 
in the cipher can be easily expressed as mathematical functions. The idea in 
the attack is, that if the constructed polynomials have a small degree, only few 
plaintexts and their corresponding ciphertexts are necessary to solve for the 
(key-dependent) coefficients of the polynomial. In an extended version of the 
attack meet-in-middle techniques are used to further reduce the degrees of the 
used polynomials [27]. 

Recently, a probabilistic version of the interpolation attack was introduced 



n 




( 5 ) 



[ 26 ]. 



118 



Lars R. Knudsen 



4.8 Non-surjective Attack 

In [61] the non-surjective attack on iterated ciphers was described. It is applicable 
to Feistel ciphers where the round function is not surjective. In a Feistel cipher 
the plaintexts and corresponding ciphertexts give the exclusive-or of all outputs 
of the round function. Thus, if the round function is not surjective this gives 
information about intermediate values in the encryptions, which can be used in 
an attack. 

4.9 Key Schedule Attacks 

In this section we consider the key schedules of block ciphers. We consider an 
n-bit block cipher, where Ek{-) denotes encryption with the key K and Dk{-) 
denotes decryption. A weak key K, is a key for which encryption equals de- 
cryption, that is, Ek{X) = Dk{X) for all n-bit texts X. A pair of semi-weak 
keys A, A*, are keys for which encryption with one keys equals decryption with 
the other key, that is, Ek{X) = Dk-{X) for all n-bit texts X or equivalently, 
Dk{X) = Ek-{X) for all n-bit texts X. It is well-known that there are at least 
four weak keys and six pairs of semi-weak keys for the DES. In [11] it was shown 
that there are exactly 2^^ fixed points for the DES used with a weak key. 

If there are only a small number of weak keys they pose no problem for 
applications of encryption if the used keys are chosen uniformly at random. 
However, when block ciphers are used in hash modes where e.g., the key input can 
be chosen by the attacker in attempts to find collisions, they play an important 
role as demonstrated in [14,59]. 

[13] lists a large class of 2®^ keys for IDEA, which can be easily identified 
using only a few plaintexts and ciphertexts. Note that IDEA uses 128-bit keys. 
In [68] it was shown that for 1 in 2^^ keys for Blowfish a differential attack 
is faster than an exhaustive key search. [40] lists a large class of differentially 
weak keys for RC5 [62] , keys for which a specific differential attack has improved 
performance. 



Related Key Attacks There are several variants of this attack depending on 
how powerful the attacker is assumed to be. 

1. Attacker gets encryptions under one key. 

2. Attacker gets encryptions under several keys. 

(a) Known relation between keys. 

(b) Chosen relation between keys. 

The first kind of attacks was introduced in [33], the second kind of attacks in 
[2]. Also, there are related key attacks on SAFER K [36] and on several other 
block ciphers [30]. 

Note that for the attacks of 2b above one must omit Assumption 1. It may be 
argued that the attacks with a chosen relation between the keys are unrealistic. 
The attacker need to get encryptions under several keys, in some attacks even 



Contemporary Block Ciphers 119 



with chosen plaintexts. However there exist quite realistic settings, in which an 
attacker may succeed to obtain such encryptions, as argued in [30]. Also, there 
exists quite efficient methods to preclude the related key attacks [30,16]. 

5 Design of Block Ciphers 

In this section we discuss some of the problems involved in the design of a block 
cipher. Two generally accepted design principles for practical ciphers are the 
principles of confusion and diffusion that were suggested by Shannon. Massey[45] 
interprets Shannon’s concepts of confusion and diffusion [64] as follows Confu- 
sion: “The ciphertext statistics should depend on the plaintext statistics in a 
manner too complicated to be exploited by the cryptanalyst” . Diffusion: “Each 
digit of the plaintext and each digit of the secret key should influence many 
digits of the ciphertext” . These two design principles are very general and infor- 
mal. Shannon also discusses two other more specific design principles. The first 
is to make the security of the system reducible to some known difficult prob- 
lem. This principle has been used widely in the design of public- key systems, 
but not in secret-key ciphers. Shannon’s second principle is to make the system 
secure against all known attacks, which is still the best known design principle 
for secret-key ciphers today. 

There have been many suggestions in the past of more specific design princi- 
ples, e.g. completeness, strict avalanche criterion, see [52, page 277-278]. However 
a specific cryptographic design principle should not be overvalued. Design prin- 
ciples should be seen as “guidelines” in the construction of ciphers, evolved from 
years of experience, and as necessary, but not sufficient requirements. There are 
many examples of this in the history of cryptography. We already mentioned the 
example of [27], where a block cipher “provably secure” against differential and 
linear attacks was broken by some other means. 

5.1 Block and Key Size 

It is clear from the discussion in Section 3.3 that if either the block or key 
size is too small or both, a block cipher is vulnerable to a brute force attack. 
These attacks are independent of the internal structure and intrinsic properties 
of an algorithm. Most block ciphers in use today have a block size of 64 bits. 
For these ciphers the birthday attacks of Theorem 1 require storage/collection 
of 2^^ ciphertext blocks for a success of about one half. It may seem unlikely 
that a single key is used to process that many ciphertexts, and the storage of 
2^^ ciphertext blocks of each 64 bits will require about 2® Gigabytes of memory. 
However with the rapid increase in computing power and available storage media 
it can expected that in a few years this attack is very realistic. This has be 
taken into consideration in the ongoing development of the Advanced Encryption 
Standard, cf. later. 

The key size of the DES is only 56 bits, which is too short. In [69,70] a design 
of an exhaustive search machine was given, which at the cost of I million US$ 
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finds the secret key of the DES in average time 0.5 hours. In [8] is was estimated 
that with respect to an exhaustive key search a key size of at least 90 bits will 
suffice for the next 20 years. 

5.2 Resistance against Differential and Linear Attacks 

We consider an r-round iterated block cipher with round function G. Denote by 
Pd the highest probability of a non-trivial one-round differential achievable by the 
cryptanalyst. Let p be the probability of a linear approximation. Then \p— 1/2| 
is called the bias. Recall that the success of a linear attack is proportional to 
the reciprocal value of the square of the bias of the used linear approximation. 
It has been shown how to treat differential and linear cryptanalysis in a similar 
way [50] by defining q = {2p — 1)^. Let denote the highest such quantity for 
a one-round linear approximation. It is possible to lower bound the probability 
of any differential and any hull in an r-round iterated cipher expressed in terms 
of Pd and qi,. 

Theorem 3 ([34]). Consider an r-round iterated cipher, which has independent 
round keys. Any s-round differential, s > 1, has a probability of at most pd- Any 
s-round linear hull, s > 1, has a reciprocal squared bias of at most qi. 

For Feistel ciphers, Theorem 3 is trivial, since pd = qe = I when the right 
halves of the inputs are fixed. These differentials and hulls are called trivial one- 
round differentials and hulls. It is possible to lower bound the probabilities of 
differentials and hulls in a Feistel cipher expressed in terms of the most likely 
non-trivial one-round differential with probability Pmax and the best non-trivial 
one-round linear hull with reciprocal squared bias of qmax- 

Theorem 4 ([54,50]). Consider an r-round Feistel cipher with independent 
round keys. Any s-round differential, s > 4, has a probability of at most 
Any s-round linear hull, s > 4, has a reciprocal squared bias of at most 2(7^^„,. 

It has been shown that the round function in a Feistel cipher can be chosen 
in such a way that Pmax and qmax are small [54,34]. 

5.3 Resistance against other Attacks 

As mentioned earlier one should be careful not to focus too much on the resis- 
tance against a limited set of attacks, when constructing new block ciphers. In 
some cases other attacks become possible. 

Let F be a n-bit r-round iterated block cipher. Assume that the nonlinear 
order of the ciphertext bits after one round is d and d‘^ after s rounds with a high 
probability. Then higher order differential attacks will in general not be possible 
after r rounds, if ~ n. One should take into account that the attacker may 
be able to guess key bits in the outer rounds of the cipher thereby attacking a 
cipher with a fewer number of rounds. Thus, if the nonlinear order should reach 
the block size after, say, r — 2 rounds. 
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It is yet unknown how to obtain exact security against truncated differential 
attacks. However, a truncated differential is a collection of differentials. There- 
fore, if the probabilities of all differentials can be bounded sufficiently low, this 
attack will have only small probability of succeeding. 

The differential-linear attack will only work if both good linear hulls and 
good differentials exist. Thus, the techniques of the previous section also apply 
in this case. 

The interpolation attack works particularly well when the outputs of one 
round of a cipher can be described as a polynomial of the input bits with rel- 
atively few nonzero coefficients. Thus, if a cipher consists of elements which 
cannot be described as such, it seems that the attack will not be possible. The 
probabilistic version of the interpolation attack might improve on this, but this 
has not been reported and needs further study. 

The key-schedule attacks can be precluded by using only so-called strong 
key-schedules [-35], see also [30,16]. 

6 Enhancing the Strength of the DES 

Already in 1977 the DES was criticised for its short key length and it was 
suggested to use the DES in a triple encryption mode [21]. In a triple encryption 
with three independent keys Ki, K 2 , and K 3 , the ciphertext corresponding to P 
is C = Ek^{Ek 2 {Eki{P)))- One variant of this idea is well-known as two-key 
triple encryption, proposed in [66], where the ciphertext corresponding to P is 
Eki{Dk 2 {Eki{P)))- Compatibility with a single encryption can be obtained by 
setting Ki = K 2 - However, whereas triple encryption is provably as secure as 
single encryption, a similar result is not known for two- key triple encryption. 
A two-key triple encryption scheme with a proof of security appeared in [16]. 
Another method of increasing the key size is DES-X, developed by Rivest. In 
DES-X the ciphertext corresponding to P is C = Ek{P © Ki) © K 2 , where K 
is a 56-bit key, and K\ and K 2 are 64-bit keys. Alternatively, K\ = K 2 may 
be used. It was shown [31] that for attacks not exploiting the internal structure 
the effective key size of DES-X is 118 — log 2 m bits, where m is the maximum 
number of plaintext/ciphertext pairs the attacker can obtain. 

Although all these schemes increase the key lengths of the DES, the block 
lengths of 64 bits of these proposals are the same as for DES, and the matching 
ciphertext attack is still a problem. 

7 The Advanced Encryption Standard 

A better solution than those of the previous section seems to be to construct 
a new block cipher with larger keys and larger blocks to replace the DES, a 
cipher which at the same time is immune to all kinds of attacks reported so 
far in the cryptographic literature. Such an initiative was announced in January 
1997 by the U.S. National Institute of Standards and Technology (NIST), the 
same institute that standardized DES in the 70’s. The first workshop was held 
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April 15, 1997. NIST’s intention is to standardize a new encryption algorithm, 
the Advanced Encryption Standard (AES) [57], as a replacement for DES. NIST 
encouraged parties world-wide to submit proposals for the new standard. Sub- 
mission deadline was June 15, 1998; 15 proposals from all over the world were 
submitted and all proposals are now publicly available [58]. The proposals are 
required to support at least a block size of 128 bits, and three key sizes of 128, 
192, and 256 bits. NIST hopes that the end result is a block cipher “with a 
strength equal to or better than that of Triple-DES and significantly improved 
efficiency.” With the minimum requirements for the key sizes it is clear that an 
exhaustive key search will be infeasible for many years. Also with a block size 
of 128 bits the matching ciphertext attack requires a huge number of about 2®^ 
ciphertext blocks to come into play. 

The submitters of most of the algorithms claim a very high level of security. 
An exhaustive search for the key is often claimed to be the best attack, or it 
is claimed that an attacker would need all 2^^® possible inputs and outputs to 
succeed. 

However, we think that once a few candidates have been selected by NIST, 
the increased attention of the worlds cryptanalysts will result in new analysis 
and in levels of security much lower than claimed by the designers. In partic- 
ular, we conjecture that (theoretical) key-recovery attacks with complexities in 
the neighborhood of 2^°® or less will be found against most of the candidates 
(provided that they are looked at) in 5 to 10 years and therefore with a secu- 
rity level lower than the best known key-recovery attacks on triple-DES today. 
Also, a long-time conjecture is that the (theoretical) security level of the final 
candidate, or the final few candidates in case NIST should decide for several 
algorithms, will drop to less than 2®^ in 30 years from now. 

8 Conclusion and Open Problems 

This paper considers contemporary block ciphers. In the last decade there has 
been a huge increase in the public knowledge regarding the security of secret- 
key block ciphers, most notably through the publication of the differential and 
linear attacks. Although this has enabled us to break many systems faster than 
by an exhaustive search for the key, the best known attacks on many of these 
systems are not very practical and require either the encryptions of unrealisticly 
many chosen or known plaintexts and/or a huge memory and processing time. 
The open problems in cryptanalysis of block ciphers are easy to spot: Break all 
unbroken block ciphers! And there is a lot of them. 
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Abstract. In the first part of this discussion, we first briefly discuss 
various prime generation methods, starting with the Rabin-Miller test, 
and then moving on to a very simple new deterministic test. After that 
we discuss various ways of constructing so-called strong primes, and why 
this better be avoided. 



1 Rabin-Miller ’s Primality Test 

The celebrated Rabin-Miller test is the most commonly used algorithm used for 
generating primes in public key schemes, be it RSA, DSA, Diffie-Hellman or el- 
liptic curves in odd characteristic. The idea goes back to [1] and the probabilistic 
algorithm was introduced in [2] . 

This is a probabilistic algorithm that on input a(n odd) number can prove 
that it is composite or assert with some degree of certainty that it is a prime: 

1. On input n, compute n — 1 = 2r/i, where h is odd. 

2. Choose b uniformly in [1, ...., n — 1] 

3. Then n passes if 5^ = 1 mod n or if = — 1 mod n for some i < r. 

By Fermat’s Little Theorem, a prime always passes this test. The question 
is what we can say about a composite number that passes the Rabin-Miller 
test. Note that for all Carmichael numbers n, a base b chosen prime to n has a 
multiplicative order dividing n — 1 . There are infinitely many: 

Definition: An integer n is called a Carmichael number if </)(n)|(n — 1). 
Consider a procedure that chooses odd fc-bit numbers uniformly and output 
the first one that passes t iterations of Rabin’s test. 

Furthermore, let C denote the event that n is a composite, and let T{t) 
denote the event that t iterations of the test outputs a composite number. Let 
P{k,t) = P{C\T{t)) denote the probability that this happens, where k is the 
bitlength of n. 

1.1 Introductory Results 

Notation: M{k) is the set of odd numbers of bit length exactly k. Fix k and let 
n be an odd number of bitlength k. 

Let a{n) denote the elements of Z*, for which the R-M test is positive. These 
elements do not form a subgroup, unfortunately. Let o:(n) be the fraction of 
elements in [l...n — 1] for which R-M’s test is positive. 



I. Damgard (Ed.): Lectures on Data Security, LNCS 1561, pp. 127—133, 1999. 
(c) Springer-Verlag Berlin Heidelberg 1999 



128 



Peter Landrock 



Lemma 1. Let n = p[^ ■ ... ■ p^“ he the decomposition of n into distinct prime 
factors. The fraction a{n) is hounded hy 



— 2 where s is the number of different prime divisors ofn. 

— where 



q = 



n 



Vi — l 

Pi u. 



for Ui the odd part of pi — 1 and h the odd part of n — 1. 



Lemma 2. a{n) <1/4 

Proof: See e.g. [MOR] 

Thus it follows that P(r(l)|C) < 1/4, and hence that P{T{t))\C) < 4 — t. 
However, we are interested in P{C\T{t)) = P{k,t))ll 

But even so, if we could prove e.g. that P(C'|T(1)) < 1/4, a guaranteed error 
rate of 2®"^ would require 32 independent choices of bases for the Rabin-Miller 
test. 

Experience shows that for the vast majorities of values of n, a{n) is very 
small, while for very few values of n, the maximal possible value just below 1/4 
is assumed. However, in [3], Paul Comba wrote: 

“Unfortunately, the “vast majority” and the “very few” have not been quan- 
tified by mathematical analysis.” 

In [4] and further improvements in [-5] partly based on [6] , this analysis is pro- 
vided. Earlier results by Erdos and Pommerance were not exact, but asymptotic 
only. 

To evaluate this probability effectively, one needs to study average behaviour 
over the distribution of candidates, as first done in [7]. It is elementary to prove 

Lemma 3. With the notation above, we have 

P{k,t)<4^-*P{k,l)/{l-P{k,l)) 

Indeed, this follows by Bayes’ Theorem, P(T{t))P{C\T{t)) = P(T{t)\C)P{C) 
where in particular P(T{l))P{C\T{l)) = P{C)P{T{l)\C)) From the former, we 
get 



P{C\T{t)) = P{T{t)\C)P{C)/P{T{t)) 

< 4-*+^P{T{l)c)P{C)/P{^C) 

= 4-*+1p(T(1))P(C't(1))/P(-C’) 

where the last equality follows from the former and the inequality from the fact 
that P{T{t)) > P{^C). 

But as P(-C|T(l))P(r(l)) = P(^C')P(T(l))hC) = P(-C), due to the fact 
that the Rabin-Miller test is always positive on a prime (i.e. the incident ~^C), 
we have 

P{T{1)) 1 1 

P(-C) P{^C\T{1)) 1-P{C\T{1)) 

which inserted above yields the claim. 
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1.2 Estimates 

We sketch the approach of [5] very briefly: In the following choose k = 100, say, 
and 

2<m< 

We want to choose a subset Cm of Mk such that 

1. Cm is small compared to Mk 

2. The composite numbers n in Mk \ Cm satisfy one of the following. 

— All prime divisors of n are smaller than 

— Some prime divisor p in n is larger than and (p— l)/(p— 1, n— 1) > 

2m-l 



The idea is to define Cm as the set of composite numbers in Mk for which 
neither condition holds: 



Cm = {n € Mk\n is a composite with a prime divisor 

p > such that (p - l)/(p - 1, n - 1) < 2”"-i } 

Using the techniques above, it is easy to prove that a{n) < 2“™ for all n € 
Mk \ Cm. 

Example: Let n = pqr, where p, q and r are primes that are 3 mod 4, and 
n is a Carmichael number: Then a{n) = 1/4. A specific example is 1729 = 
7T3 • 19, the celebrated taxi cab number. Hardy probably mentioned this number 
to Ramanujan at the famous visit to the hospital to cheer Ramanujan up by 
making the mock statement that this number was uninteresting. Hardy was 
very familiar with Carmichael’s work and it is quite feasible that he thought 
such a statement might tricker off a reaction from the sad Ramanujan, as he 
(of course) too would recognise it as a Carmichael number. Ramanujan then 
astounded Hardy by pointing out that it is the smallest number which in two 
different ways may be written as a sum of two cubes. 

By going through even more elaborate estimates but still along the same 
lines, these results may be dramatically improved. See [5] for details on the 
following table which in the {k,t)’th entry contains — log 2 of the upper bound 
for P{k,t). For instance, P(150,2) < 2“^°. 
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k\t 


1 2 3 4 5 


6 


7 


8 


9 


10 


100 


5 14 20 25 29 


33 


36 


39 


41 


44 


150 


8 20 28 34 39 


43 


47 


51 


54 


57 


200 


11 25 34 41 47 


52 


57 


61 


65 


69 


250 


14 29 39 47 54 


60 


65 


70 


75 


79 


300 


19 33 44 53 60 


67 


73 


78 


83 


88 


350 


28 38 48 58 66 


73 


80 


86 


91 


97 


400 


37 46 55 63 72 


80 


87 


93 


99 


105 


450 


46 54 62 70 78 


85 


93 


100 106 112 


500 


56 63 70 78 85 


92 


99 


106 113 119 


550 


65 72 86 93 100 107 113 119 119 126 


600 


75 82 88 95 102 108 115 121 127 133 



2 A Simple Deterministic Prime Generation Algorithm 

The approach as such goes back to [8]: Start with a random prime pi of some 
limited size from a table and construct a prime p 2 = kipi + 1. Continue with 
this process until a prime Pr is constructed of the right size. This was used by 
D. Wheeler to construct large primes in the SOies. D. Wheeler always chose the 
coefficient ki less than pi. Compare to Theorem 101 in [8]. 

This can be improved as follows: Let p be a prime, and let k = ap + b, where 
a,b < p are both odd. Set n = kp + 1. 

Theorem 1. Suppose there exists a t such that 

— 1 mod n 

— t^P = 1 mod n 

Then n is a prime. 

Note that n is in the range p < n < p^. 

Proof: We first observe that if n is composite, it must have a prime divisor q 
of the form xp + 1, x even. Hence n = qr, where r = yp+1, y even. Thus a = xy 
and b = X + y are both even, a contradiction. 

Note: It is easy to see that the condition that a, b be odd can be relaxed to 
the assumption that b^ — 4a not be a square integer. 

Notice that the restriction on a and b only reduces the potential key space 
by a factor 4, i.e. two bits. 

This test is much simpler than e.g. Ueli Maurer’s construction of deterministic 
primes (see [9]), but gives the same uniform distribution properties, as we shall 
indicate: 

What is the quality of the distribution of the primes constructed by this 
method? 

We need an estimate of the probability that a random (odd) number n is 
divisible by primes up to a certain bound B only. Obviously, this probability 
equals 
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which by Merten’s Theorem (see e.g. [8]) can estimated as 

2e"'^/log(B) « l/log(B) 

where 7 is Euler’s constant. Thus the distribution is linear in log(i?)“^. This 
gives the following estimate for the fraction p(e) of numbers x less than n whose 
largest prime factor is less than 



e 


P(e) 


1.5 


0.59453 48919 


2.0 


0.30685 28194 


2.5 


0.13031 95618 


3.0 


0.04860 83883 


3.5 


0.01622 95932 


4.0 


0.00491 09256 


4.5 


0.00137 01177 


5.0 


0.00035 47247 


6.0 


0.00001 96497 


7.0 


0.00000 08746 


8.0 


0.00000 00323 


9.0 


0.00000 00010 



We observe that 95% of all (odd) numbers x have a prime divisor which is 
at least 

Assuming that the distribution of prime divisors is independent of the fact 
that n — 1 (or n + 1 is a prime (which can be verified statistically), this result 
yields the probability that a prime p has the property that all prime divisors of 
p—1 or p + 1 are below a certain bound. This in fact is also the argument behind 
not using strong primes above a certain limit (about 384 bits). 

This estimate also indicates how the size of the prime p dividing n— 1 is chosen 
if we start by choosing the bit length of the final candidate n: The distribution 
should be linear in log(p)“^. We may then successively call our algorithm to 
generate smaller and smaller primes, until we end up with a size we can look up 
in a table, and then go backwards in our construction using the theorem above. 

Likewise, this estimate above yields that by test dividing with all primes up 
to say 256, we may discard about 80% r; (1 — 1/8) of all candidates. Thus we 
will speed up the prime generation time considerably by first test dividing with 
small primes and only then start our favorite algorithm up, and always with 2 as 
the first choice for the test base, as modular exponentiation of 2 is much faster 
than modular exponentiation in general. 

For much more on this, see [10]. 

3 Constructing Strong Probabilistic Primes 

The only problem to address here is how to construct a prime p such at the same 
time p — 1 is divisible by the prime r and p + 1 is divisible by a prime s. An 
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obvious tool is to use the Chinese Remainder Theorem. The obvious solution 
was first described in [11]. 

The basic idea is the following: 

Calculate first some number a which is 1 mod r and —1 mod s, and then start 
examining all candidates of the form n = a + 2jrs, for j = 1, 2, ... To find such 
a number a is of course easy. [12] suggests the number a = ((2s’'“^) mod r)s — 
1, which has the advantage that it is quite small (Gordon suggested — 

mod rs). 

Next test candidates of the form n = a + 2jrs using the R-M test. 

We observe that 



— n mod r = a mod t’ = 2 — l = lby Fermat’s Little Theorem 

— n mod s = a mod s = 0— 1 = — 1. 



In most applications, p is specified to be of a particular bit length, k. This 
is achieved by first constructing the primes r and s to satisfy that log r + logs 
is of size about k — mlogfc, where m is small, say 4. Starting the algorithm of 
with j = mlogk, and then increasing j in alternating steps of 2 and 4 (to avoid 
the factor 3 (!)) the bit length of the final candidate will be k with a very high 
probability by the Prime Number Theorem. 

The problem with this approach of course is that it only works if rs < p. 
Most algorithms seem to choose r and s of equal size, and this of course is 
very restrictive, and hence not recommendable at all. We do not have any exact 
estimate for the fraction of all good candidates which are accepted using this 
approach, but it is very, very small! Given our earlier discussions, it seems a much 
better idea to choose r randomly in the range [p^^^,p^^^] or perhaps 
and then s accordingly, if “the customer” insists on strong primes. 

Notice than alternative choice of a above is 

a = ((— 2r®“^) mod s)r + 1 



Hence candicates of the form 

n = a + 2jrs = ((— 2r'*“^) mod s + js)r + 1 

are been considered, and Theorem 1 of Chapter 2 above may be invoked if 
(j + l)s < r^, e.g., if s < r, which is a reasonable assumption by the remarks 
above, and j < r, which is the intention of the whole approach anyway. 

Final remarks: Any algorithm, however good, needs a random input of con- 
siderable size, called a random seed. This must originate from a random source, 
and this is a completely different story. 
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Abstract. Motivated by the increasing use of cryptography, in particu- 
lar digital signatures, to secure electronic commerce this paper discusses 
applications of digital signatures. The aim is to give an overview of some 
problems, which on one hand are related to electronic commerce and, 
on the other hand, are challenging from a cryptographic point of view. 
The paper first deals with fundamental techniques for establishing a pub- 
lic key infrastructure and for creating non-repudiation tokens. The latter 
makes it possible to use digital signatures to solve disputes which is often 
the ultimate goal when using digital signatures in practice. 

Next more advanced cryptographic protocols are discussed by giving an 
overview of protocols for fair exchange of signed documents as well as 
for implementing electronic cash (prepaid payment systems). 



1 Introduction 

Digital signatures were made possible by the invention of public key crypto- 
graphy by Difhe and Heilman in the middle seventies (see [DH76]). In a public 
key (or asymmetric) crypto system a user has a key pair consisting of a private 
key known only to himself and a public key, which may be publicly announced 
and which must be known to all other parties communicating securely with the 
user in question. These keys are used in algorithms, which are also publicly 
known (usually standardised algorithms such as [DSS93] for digital signatures 
and [RSA78] for both confidentiality and digital signatures). 

Now consider a party, A, having a public key pair (s,p), where s is the private 
key and p the public one. Other parties can send information confidentially to 
A by encrypting it under A’s public key. A can retrieve the original information 
by deciphering the cipher text using s. As only A knows this key, A is the only 
person who can retrieve the encrypted information. Due to efficiency reasons 
public key cryptography is often used to encrypt symmetric keys, which are 
then used to encrypt a single message or used several times during a session. 

In the above setting, A can digitally sign a message using his private key. This 
results in a digital signature which can be verified by anyone using A’s public 
key. The verification process ensures that only someone knowing the private key 
corresponding to the public verification key (here A) could have produced the 
signature. 

In the following we only consider public key cryptography for digital signa- 
tures and stress, that it is possible to have a public key scenario, which can be 
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used for digital signatures but not for public key encryption. More precisely, in- 
spired by the increase in electronic commerce, this paper focuses on applications 
of digital signatures to electronic payments and fair exchange of signed data. 
Obviously, electronic payments are fundamental to electronic commerce, while 
exchange protocols may be necessary to ensure fairness in business sessions in- 
volving parties that don’t trust each other (e.g., a buyer may not want to sign 
a receipt for some goods unless he is sure to get the goods, and a merchant may 
not want to send the (electronic) goods, unless he gets a receipt). 

Development of Digital Signature Schemes 

While public key cryptography was introduced in [DH76], the first digital sig- 
nature scheme was published a few years later in [RSA78]. Later, a number of 
digital signature schemes have been suggested, but only a few have survived 
extensive analysis in the cryptographic community. We now review the most 
notable ones. 

The RSA system is based on the problem of factoring. The public key is a 
pair of numbers (n, e) where n is the product of two primes p and q, and e, the 
public exponent, is relatively prime to lcm(p— l,q— 1). The secret key consists 
of n and d, where d is the inverse of e modulo lcm(p — 1, g — 1). The signature 
on some data, D (considered a positive number less than n) is 

cr = (mod n) . 

This signature can be verified using the public key by computing D' as 

D' = tr® (mod n) 

and verifying that the retrieved data D' is of the correct form. 

While anybody who is able to factor n can make false signatures, it is not 
known whether breaking RSA requires the ability to factor (forgeries based on 
homomorphic properties are possible, but these can be prevented if the signed 
data, D contains sufficient redundancy). 

However, Rabin presented in [Rab79] a variant of RSA where the public ex- 
ponent is 2 (i.e., the exponentiation with the public exponent is replaced by 
squaring). Note that 2 is not a valid public exponent in RSA, but as computing 
square roots modulo a composite requires the ability to factor the composite, 
signing arbitrary messages in Rabin’s scheme requires knowledge of the factori- 
sation of the modulus (an interesting variant of Rabin’s scheme was given in 
[Wil80]). 

In 1984, ElGamal presented a signature scheme based on the difficulty of com- 
puting discrete logarithms in the mulitplicative group modulo a prime [EG85]. 
This scheme had a renaissance in the end of the eighties, as a variant of it was 
selected as public standard by NIST [DSS93]. The ElGamal and DSA signa- 
ture schemes will be discussed in more detail in Section 2. These schemes have 
gained further interest as variants can be implemented in groups defined by 
elliptic curves over finite fields (e.g., ’’elliptic curve DSA” [1/S98a]). 
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At the end of the eighties a new paradigm for the construction of digital 
signatures was introduced (see [FS87,FFS88]). These signature schemes are de- 
rived from zero-knowledge identification protocols (see [GMR89] for information 
about zero-knowledge). A number of signature schemes have been based on this 
technique, e.g., [Scli90,GQ89]. 

Most of the applications discussed in this paper are generic in the sense that 
they can be based on any signature scheme. In these cases the schemes mentioned 
above are very good candidates. 



Existence of Digital Signatures 

One problem with practical digital signature schemes is that they are not ”prov- 
ably” secure (i.e., it cannot be shown that forging signatures requires the solution 
of a generally assumed hard problem). Even in Rabin’s scheme, where signing ar- 
bitrary messages is equivalent to factoring, the signers secret key can be retrieved 
if an attacker is allowed to get signatures on arbitrary messages (see Section 2.1). 
Recently a number of practical signature schemes, including Schnorr signatures, 
have been proved secure in the random oracle model [BR93]. 

Security of digital signature schemes was not formally defined until [G AIR88] , 
which also presented a provably secure scheme based on the existence of claw- 
free pairs of trapdoor functions. Later the sufficient condition for making secure 
digital signature schemes was weakened in a series of papers. Most notably 

— [BM92] showed how to make secure signatures given any trapdoor function 
(in particular secure digital signatures based on RSA was made possible, 
although not that practical); 

— [NY89] based secure digital signatures on universal one-way hash functions, 
which can be constructed given any one-way permutation; and finally 

— Rompel showed in [Roni90] how to construct universal one-way hash func- 
tions (and hence secure digital signatures) based on one-way functions. Ex- 
istence of one-way functions is also a necessary condition for secure digital 
signatures. 

This paper will not deal with these ’’theoretical” schemes but consider sche- 
mes, that are used in practice and some applications of these. 



Overview 

The next section defines secure digital signatures (based on [GMR88]) and dis- 
cusses the security of some of the signature schemes mentioned above. The next 
four sections consider applications of signatures. First, Section 3 discusses public 
key infrastructures, which on one hand is an application of signatures, and on the 
other is a prerequisite for the deployment of public key techniques, and Section 4 
describes a standard format for non-repudiation tokens. Methods for exchanging 
such tokens (more generally, contract signing) are described in Section 5, and 
Section 6 presents the principles behind some electronic payment systems. 
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2 Definition of Secure Digital Signatures 

A signature scheme is defined by the following components: 

Key Space A subset of {0, 1}* x {0, 1}* of pairs of private and public keys 
Key Generator A probabilistic polynomial time algorithm, gen, which on in- 
put the security parameter k outputs a private key KS and a matching 
public key KP. All keys, messages and signatures are of polynomial length 
in k. 

Message Space A subset of {0, 1}*. 

Signature Space A subset of {0, 1}*. 

Signing function A probabilistic polynomial time algorithm sign, which on 
input a message m and a private key KS outputs a signature sign(m, KS). 
Signature verification A binary verification function, test, which on input a 
message to, a public key KP and a signature a outputs 1 if cr is valid with 
respect to KP and 0, if <t is invalid. 

Often we shall just say that a signature scheme is defined by {gen, sign, test) 
and not explicitly mention the key, message and signature spaces. 

Sometimes (e.g., in [1/S98b] versus [1/S91]) one distinguishes between signa- 
tures with appendix and signatures giving message recovery. The above definition 
corresponds to the former, as the signature is appended to the message in the 
sense that both cr and to are required inputs to test. In signature schemes with 
appendix the signing process usually goes in two steps: 

1. The message to be signed, to, is digested using a cryptographic hash function, 
H, resulting in D = H{m). 

2. The data D is processed using the private key of the signer resulting in a 
signature sign{m, KS). 

A potential signature a on message to is verified in a similar two step process 
(see Figure 1): 

1. Compute D = H{m). 

2. Verify that a matches the digest D using the public key. 

In schemes giving message recovery (part of) the message is recovered during 
signature verification. Again the signing process goes in two steps: 

1. Redundancy is added to the message, to resulting in data D. 

2. The data D is processed using the private key of the signer resulting in a 
signature sign{m, KS). 

[1/S91], which can be used with RSA, prescribes that the input message is 
at most (roughly) half the length of the modulus so that there is room for 
redundancy. If the message is too long, only part of the message can be recovered, 
and the rest is used as input for the verification process. In that case the first 
step of the signature process goes as follows 
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Fig. 1. Verifying signature with appendix 



1. Write m = mi\\m 2 , where || denotes concatenation and construct D = 

In this case test takes as input a partial message m 2 , the potential a and the 
public key and produces as output a pair (b,m), where 

J 0 if (T is invalid 
[ 1 if (T is valid 

and m is the recovered message (only well-defined if 6 = 1). Testing goes in the 
following two steps (see Figure 2), given m 2 , a and KP: 

1. Recover data D from a using the public key. 

2. Verify that the redundancy in D is correct and that D is of the form D = 
mi||7f(mi||m2). Return mi||m 2 as the recovered message. 

Thus in schemes with appendix as well as schemes giving message recovery 
we can identify in the signing and verification process a step which processes 
some data (denoted D) using the private key, respectively the alleged signature 
using the public key. This step will in the following be denoted as the pure part 
of the signature algorithm in order to differentiate it from the complete signa- 
ture mechanism. Thus pure RSA is defined by the two modular exponentiation 
functions (with the private and public exponent). 

2.1 Security of Digital Signatures 

As mentioned previously [GMR88] provided the first thorough definition of dig- 
ital signatures. The following definition is based on that paper. 

The strength of a signature scheme is measured as the achievement under a 
given attack. The following four types of attacks are considered, with the most 
powerful mentioned last. 



Signing Contracts and Paying Electronically 139 




Fig. 2. Verifying signature with message recovery 



Key only The adversary knows the public key of the signer. 

Known message attack The adversary knows a number of message-signature 
pairs but cannot influence the distribution of these messages. 

Chosen message attack The adversary makes a list of messages and gets the 
signature on each of these. 

Adaptively chosen message attack In this type of attack the adversary can 
get the correct signature from the signer in a number of rounds. In each 
round the adversary can choose the messages to be signed based on the 
signatures received so far. 

Note that the ability to carry out a chosen message attack (adaptively or not) is 
in many cases detrimental to the application of the signature scheme, as these 
attacks basically allow the adversary to get signatures on arbitrary messages. 
However, these scenarios are considered in order to allow for very strong attacks. 
This will be more clear when the achievements or goal of the attack is described. 
Let A4 denote the set of messages signed by the attacked signer during an attack. 
Then the following three different achievements are considered: 

Total break The adversary obtains the secret key or other equivalent informa- 
tion allowing him to make signatures at will. 

Selective forgery The adversary is able to make a signature on a message 
m ^ M chosen by himself. 

Existential forgery The adversary is able to make a signature on some mes- 
sage m ^ M. (the adversary may not control m) . 

The scheme is resistant to an attack with a given goal if for every polynomially 
bounded adversary and for every c > 0 the probability of achieving the goal is 
less than k~^ for k sufficiently large (where the probability is over the random 
choices of the attacker as well as the signer — fc is the security parameter of the 
scheme). 
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Thus the highest level of security occurs when a scheme is secure against 
existential forgery under adaptively chosen message attacks. 



2.2 Security of Practical Schemes 

In the following we briefly describe the security of RSA, Rabin and DSA in terms 
of the definition given above. 



RSA and Rabin Signatures It is easy to make an existential forgery in pure 
RSA with public key (n, e) by selecting a positive, random number a < n and 
computing Z? = cr® mod n. However, if RSA is combined with a hash function, 
then it will be difficult to find a real message, m, such that D = 7Z(m). Similarly, 
if redundancy is added to the message as part of signing and removed again as 
part of verification, then this attack will fail. The same goes for attacks based 
on the homomorphic property of RSA: 

m\m 2 = ( 77117712 )® mod n. 

Rabin’s signature scheme is constructed such that the ability to make a total 
break in the pure scheme implies that the public modulus can be factored. Unfor- 
tunately, a chosen message attack enables the adversary to find the factorisation 
of 77, as follows: 

1. The adversary computes data D = mod ?7, where x is chosen at random 
and ask the signer to sign D. 

2. The signature, tr, from the signer satisfies: = D mod n. 

3. As D contains no information about which of the four square roots of D the 
adversary knows, the adversary is able to factor n with probability ^ . 

Thus, the security of pure Rabin signatures can be characterised as follows: 

— existential forgery possible under known key attack 

— total break possible under chosen message attack 

~ selective forgery impossible under known key attack (and under known mes- 
sage attacks, where, for example, the signer signs messages that are selected 
uniformly among the quadratic residues modulo n). 



DSA and ElGamal Just as for RSA it is possible to make an existential 
forgery of pure DSA and ElGamal signatures. As mentioned previously, DSA is 
a variant of ElGamal. It uses system parameters p and q (both primes), where 
q is of length 160 bits and divides p — 1, and a number p G Z* of order q. The 
public key is an element y G 2* and the secret key is a number x between 1 and 
q — I such that 



y = mod p. 
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Signing some data D G {0, interpreted as a number between 0 and q— 1, is 
a probabilistic process, where the signer chooses k G 2* at random and computes 

r = {g^ mod p) mod q 
s = {D + xr)/k mod q 

Signature verification is done as follows: 

1. Compute 



ul = D / s mod q 
u2 = r/s mod q 

2. The signature is valid if r = mod p) mod q. 

A correctly made signature will be accepted in this process as 

g-V" = (g^+-)'/^ = /modp. 

The DSS standard prescribes that this signature system must be used with the 
hash function SHA-1 given in [SHS95]. This allows longer messages to be signed, 
and prevents some attacks that have been known since ElGamal signatures were 
introduced in [EG85]. Without a hash function it is possible to make an existen- 
tial forgery as follows. Initially choose a G of order q and 6 G 2, at random 
and compute 



t = ay^ mod p 
r = t mod q 
s = r jh mod q 

Let ul and u2 be defined as above (H, the data to be signed are still unknown). 
Then we have to select a, b and D such that 



But this is equivalent to 

= y~^t^ mod p 

and hence 

D —r s bs —r s r s i 

g = y ay = y a y = a mod p. 

Thus if instead of choosing a at random we select a = g‘^ for a random c, then 
(r, s) is a correct signature on data D = cs mod q. 

When ’’pure DSA” is used with SHA-1 as prescribed, the above forgery is 
not of much use, as the adversary would have to find a message m such that 
'H{m) = D — a problem which has no publicly described solution. Even though 
there is some freedom in choosing, D, it is not known how to make even an 
existential forgery. 
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Schnorr Signatures These can for example be described in the same setting 
as DSA. Thus system parameters p, q and g as above are given. The public key 
is y = mod p, where x is the private key (some times g~^ is used as public 
key, but that makes no real difference for our purposes) . 

A signature on a message m is most easily described as a proof of knowledge 
of the private key: 

1. The prover (signer) chooses r S 2^ at random and computes a = g^ mod p. 

2. Compute a challenge c = 7t(a, m) 

3. The prover (signer) computes z = r ~\~ cx mod q. 

Intuitively, this can be considered a proof of knowledge of x since x can be 
computed if the prover is able to answer correctly on two different challenges 
based on the same a. 

A signature is the pair (c,z). It is correct if c = H{g^h~‘^,m). The security 
of this scheme depends on the properties of H, but assuming H behaves like a 
random oracle Schnorr signatures are secure against existential forgeries under 
adaptively chosen message attacks. 



3 Public Key Infrastructure 

This and the following three sections describe practical aspects of using digital 
signatures. First, certificates are discussed, as these on one hand constitute a 
simple application of digitally signed messages and, on the other, enable other 
applications. 

In order to use digital signatures it is usually necessary to have a Public 
Key Infrastructure (PKI) in place. As a signed message is verified against the 
public key, it proves, assuming that the signature is not forged, that the message 
originates from the person knowing the private key corresponding to the public 
one. Thus the public key serves as the electronic identity, and the main purpose 
of a PKI is to link this electronic identity with the owners real identity (or in 
some cases with a pseudonym chosen by the owner) . 

In practice, this is done using public key certificates. A certificate is an elec- 
tronic message stating that a given public key belongs to a certain person. It 
is issued and digitally signed by a third party called a certification authority 
(CA). Everybody knowing the public key of the CA can verify certificates issued 
by that CA and hence use the public keys in these certificates. Two certificate 
standards are given in [X5095,IS0]. 

While the CA is central for establishing a PKI, two other roles are often 
involved: 

^ A simple situation, where no particular PKI is required is in ’’star shaped topoligies”, 
where all participants only communicate securely with a single central party. In that 
case the central party can maintain a table of the public keys of all other parties. 
These, in turn, only need to know the public key of the central party. 
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— A registration authority (RA) which verifies information about the user (in 
particular the identity of the user) and links the public key to the user. In 
some applications a number of local RAs are required where applicants must 
show up in person before getting a certificate. 

— A directory (D) which maintains a register of public information about users 
and certificates. Certificates can be published in and hence retrieved from a 
directory. The LDAP protocol [YHK95] is a standard protocol for accessing 
such information. 

A user registers at the registration authority and obtains a certificate from 
the certification authority. Later the certificate can be used by either including 
the certificate in the electronic messages or letting the counterpart obtain infor- 
mation about the certificate from a third party such as the directory or the CA 
itself. Figure 3 illustrates this. 




Fig. 3. Roles in a PKI 



Since the purpose of a certificate is to link together a person and a public 
key, it is of course important that the identification of that person as well as the 
verification of the correctness of the key are done thoroughly: it must be ensured 
that the name of the person is correct and that the person acknowledges that 
the certified public key belongs to him. 

Although other procedures exist, a certificate is typically issued as follows 
using the (local) RA and the CA: 

1. The applicant registers at the RA. Several options are possible here 

— Electronic registration (e.g., identification against an email address). 
This is often done today, but should not be used if the certificate is 
to be used for non-repudiation (see Section 4). 
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-- Registration based on an already established relationship. 

— Physical registration, where the applicant must show up in person and 
the officer at the RA verihes the identity of the applicant. 

In the last two cases the applicant may have to sign (by hand) an application 
form (this form may contain a hngerprint of the public key, which is going 
to be certihed). 

2. The RA informs the CA about the registration. 

3. The CA sends a so-called Initial Authentication Key (lAK) to the user in a 
sealed letter [PKI]. 

4. The applicant sends an electronic request for the certihcate. In this request 
the applicant identihes himself using the lAK (e.g., by computing a MAC 
on the request) and proves knowledge of the private key corresponding to 
the public one to be certihed. 

5. The CA returns the requested certihcate, if the request is ok (and the public 
key has not previously been certihed). 

However, no matter how many resources are put into the verihcation of the 
information in certihcates when they are issued, the PKI must support means 
for revoking certihcates. Most noteworthy, this will happen if the certihed key- 
pair is (suspected to be) compromised, but it could also be necessary in less 
dramatic circumstance (e.g., if some information in the certihcate is out-dated). 
In case a certihcate is revoked, the PKI must make sure that the change of status 
is announced properly. This could for example be through announcements of 
certihcate revocation lists (blacklists) or by providing an on-line service, which 
can always give the correct status of any given certihcate in a secure way. 

An important difficulty when establishing a PKI is to publish the public 
key of the CA. This key is at the heart of the security of any system, as all 
certihcates issued by the CA are verihed against this key. Thus someone who is 
able to replace that key with another one will be able to issue (false) certihcates, 
and hence make signatures alleged to originate from someone else. Distribution 
of the key of the CA can either be done ” out-of-band” (e.g., by publication 
in newspapers or in letters when a user is registered) or by certifying it using 
another CA. The latter may give rise to a hierarchy of CA’s in which only the 
distribution of the root key will have to be done out-of-band. 

4 Non-repudiation 

Non-repudiation refers to the use of digital signatures for solving disputes. Thus 
the digital signature, which is made as part of a transaction should be stored 
and in the event of a dispute an arbiter must be able to verify it. 

ISO provides a framework for non-repudiation in part I of ISOI3888 [I/S97a], 
and in part III [I/S97b] specihc non-repudiation tokens are dehned. The most 
interesting are 

Non-repudiation of origin Protects against the originators false denial of 
having originated the message. 



Signing Contracts and Paying Electronically 145 



Non-repudiation of delivery Protects against the recipients false denial of 
having received and recognised the contents of the message (ISO uses the 
term ’’non-repudiation of receipt” to refer to a proof that the recipient has 
just received the message). 

In addition non-repudiation tokens are defined to support the electronic equiv- 
alent of registered mail. 

The tokens all follow a similar structure, so let us take a look at the non- 
repudiation of origin token. It contains the following information, which is signed: 

— A description of the non-repudiation policy for this token (i.e., what does 
the token prove). 

— Identification of the originator. 

— Identification of the intended recipient (s). 

— Identification of the authority generating the token (usually the originator) . 

— Date and time when the token was generated. 

— Date and time when the message was sent. 

— Description of signature mechanism (including hash function) . 

— Hash value of the message. 

The difficult (and yet essential) part to provide in this token is the time stamp, 
which is used to make the token unique and, in case of disputes, to determine 
the exact time of the generation of the token. A possible scenario where correct 
time stamps are important is: 

User A signs a message stating that he owes person B 1000 dollars 
and will pay this amount 2 months later. One month later A regrets and 
revokes the certificate claiming that his private key may be compromised. 
When B later wants to get his money, A refuses to pay claiming that 
the signature was made after the certificate was revoked. 

Obviously, if the initial message from A had an unforgeable time stamp, A could 
not succeed with this claim. 

In order to provide such time stamps a third party is needed. [1/S97a] defines 
a time stamp token to contain the signature of the Time Stamp Authority on a 
message containing 

— A description of the non-repudiation policy for the time stamp 

— Date and time when the time stamp was generated 

— Description of signature mechanism (including hash function) 

— Hash value of the message to be time stamped 

Internet standards for time stamping protocols are developed in the PKIX work- 
ing group [PKI]. Interestingly, the time stamp defined within PKIX in the current 
version provides the option of associating additional information to the token in 
order to prevent that the third party dates forward (e.g., the time stamp could 
contain the most recent closing value of the Dow Jones Average). However, as 
illustrated by the example above back dating is often a more serious problem. 
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Two cryptographic solutions to this problem were proposed in [HS91]. In one 
solution, the third party making the time stamps link the stamps together so 
that back dating (before the previous time stamp) is not feasible. This solution 
has the problem that solving a dispute involving time stamps may require as wit- 
ness other parties having requested time stamps. The second solution proposes 
to distribute the time stamp among a number of third parties (in a random and 
unpredictable way). 

5 Contract Signing 

Contract signing refers to the problem of fairly exchanging signed documents 
between two parties. By fair is meant that each (honest) party sending a signed 
document is assured that if the other party gets his signature, then he will also 
get the required signature from that party. 

Using a trusted third party this problem has a trivial solution: Both parties 
can send their signed documents to the third party, who after receiving both 
documents verifies the signatures, and then forwards the signed documents to 
the intended recipients. 

As this solution is not satisfactory, it has been attempted to develop contract 
signing protocols relying less on trusted third parties. In theory, this problem is 
solved, since fair exchange of signed documents can be based on general crypto- 
graphic techniques such as [GMW86]. 

However, the search for more practical solution has attracted much attention 
(see [Dani94] for more references) and in the following we consider some of the 
suggested schemes. These can be grouped in three categories: 

Gradual release of signature Here each party takes turns releasing one or 
more bits of the signature. 

Gradual release of evidence Each party takes turns at releasing evidence, 
which a third party will use to decide a possible dispute. The distinguishing 
property compared to gradual release of the signature is that a party having 
more computing power than the other cannot use this advantage to generate 
additional evidence. 

Optimistic protocols These protocols provide the exchange in such a way, 
that if at any point a cheating party stops and is able to compute the sig- 
nature of the honest party, then the honest party has so much information 
that, with the help of the third party, the cheating party’s signature can be 
computed. 



5.1 Gradual and Verifiable Release of Signature 

The concept of gradual and verifiable release of a secret was first introduced in 
[BCDvdG88], which shows how a party can gradually release a secret discrete 
logarithm (given two elements g and h of 2*, where p is a prime, the secret is 
the discrete logarithm of h with respect to g). 
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The idea is that in one round the party holding the secret can prove that it 
is in a certain interval, and in each round this interval is made smaller (e.g., the 
interval could be halved in size for each round corresponding to releasing one 
bit of the secret). In [Dani94] this technique was generalised using a special bit 
commitment scheme. While [BCDvdGSS] allows release of signatures that can be 
expressed as the discrete logarithm, [Dani94] extended the scope to signatures 
that can be expressed in a well-defined way using this new commitment scheme 
(this includes RSA, Rabin and ElGamal signatures). 

We do not go more into the details of these schemes but there is a rich 
literature on such schemes. 



5.2 Gradual and Verifiable Release of Evidence 

If signatures are exchanged using the technique of gradually releasing a secret, 
then a party, A with much computing power may have a substantial advantage 
over one with very little computing power, as A will be able to search (exhaus- 
tively) for missing bits. E.g., assume the signature is 320 bits (as in DSS). After 
each party has released, say, 270 bits of the signature then party A my decide to 
stop and search exhaustively for the remaining 50 bits. The other party having 
much less computing power may not be able to retrieve the missing bits before 
the signature is out-dated. 

[BOGMR90] introduced a way to cope with this deficit. The exchange still 
takes place in a number of rounds, but in each round each party releases infor- 
mation, which increases the probability that an arbiter will accept the signature. 
Thus at any point party A’s and B’s signature will be valid with probability pA 
and pb, respectively. The idea is to keep pA and pb close to each other so that 
neither A nor B will have any significant advantage in stopping the protocol. 

[BOGAIR90] suggests to achieve this as follows. Initially A and B agree on a 
contract, c, setting the parameters for the exchange and sign this contract. This 
signature does not count as a signature on the contract to be signed, and they 
can freely exchange it. Now, in round i of the protocol, A signs a message saying 
”c is valid with probability pi \ This signed message is sent to B, who returns a 
similar, signed message to A. The probability, pi, is increased gradually in each 
round (e.g., with 100 exchanges pi = for z = 1, 2 , . . . , 100). 

In case of a dispute a party will present the signed message containing the 
highest value of pi to the arbiter, which simply decides to accept the signature 
with probability pi (once the signature is accepted or rejected, all future verdicts 
have the same outcome). 

The disadvantage of this protocol is that each party has to make and verify 
many signatures. In [Dani94] this was somewhat solved by replacing digital sig- 
nature in each round with the preimage of a one-way function (e.g., a hash func- 
tion). More precisely in the initial phase A signs c and (7f(ai), 7^(02 ), . . . ,7f(a„)), 
where oi, 02 , . . . , a„ are chosen at random. Similarly, B chooses 61, 62 , . . . , at 
random and signs c and the list (7f(5i), ?f(&2), ■ • • ,7f(6„)). In round i party A 
reveals Ui and B reveals 6^. After Ui and bi are revealed, the arbiter will accept 
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A’s and B's signatures, respectively, with probability ^ (more generally arbi- 
trary probabilities can be associated with each and bi as part of the initial 
contract). 

While this is more efficient, it still requires a number of preimages to be signed 
and stored. This can be avoided based on the technique for micropayments pre- 
sented in [Ped97,RS97,HSW96,AAIS97], as the list (7f(ai), 77(02 ), ... ,7f(a„)) 
can be replaced by 77 " (oq), where oq is chosen at random. B's, list is simi- 
larly replaced by 77" (60), for a random 6 q. In the 7’th round A and B send 
Oi = 77"“*(oo), respectively bi = 77"“®(6o), to each other. This reduces storage 
requirements, and the initially signed message will be shorter. In the 7’th round 
each party will have to iterate TL n — i times in order to find Oi, but if a good 
hash function is chosen (e.g., SHA-1, [SHS95]) this can be done very fast. As 
A (B) only has to remember the previous bi (ai) verification requires a single 
computation with 77 in each step. 

5.3 Optimistic Protocols 

While the two types of exchange mentioned above both require a large number 
of rounds in order to gradually increase the faith in the signature, optimistic 
protocols aim at exchanging the signatures directly. In order to cope with dis- 
honest parties, this is done in such a way that an honest party can be saved by 
a third party. The first optimistic protocols for fair exchanges were published in 
[ASW97]. In the following we sketch the protocols presented in [ASW98] for the 
case of Schnorr signatures. The following concepts are used: 

Reduced signature Briefly, a reduced signature is a partial signature. It can 
be verified given the public key, and given additional information the correct 
signature can be derived from the reduced one. A reduced Schnorr signature 
(c, z) on message m is, for example, given by (c, u), where u = mod p. It 
is correct if c = H{uh~‘^,m). 

Verifiable encryption of homomorphic inverse Given a surjective homo- 
morphism : Gi — > G2, where Gi and G2 are groups, a verifiable encryption 
of the inverse of some c? G G2 is an encryption of for which it can be 

proved that decryption gives a pre-image of d. 

In the following consider the homomorphism ip : (2g,4-) ^ {Gq,-) defined by 
X I— f , where Gq is a cyclic group of order q generated by g. 

Assuming A wants to sign niA and B the message niB the protocol works as 
follows: 

1. A computes a Schnorr signature {ca, za) on uia and the corresponding re- 
duced signature (ca,ua), where ua = A sends {ca,ua) to B. 

2. B verifies the reduced signature: c = H{uAh~‘^^ ,mA)- If it is invalid, B 
stops. Otherwise B signs tob to get (cb,zb) and the corresponding reduced 
signature (cb,ub)- The reduced signature is sent to A. 

3. A verifies the reduced signature. If it is invalid, A stops. A encrypts za under 
the public key of the third party and proves that the encryption is an inverse 
of UA under ip. 
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4. B aborts if the proof is not accepted. Otherwise B encrypts zb under the 
public key of the third party and proves that the encryption is an inverse of 
ub under (p. 

5. If A rejects the proof, the third party is invoked. See below. Otherwise A 
sends za to B. 

6. B verifies that ua = If this is not satisfied B retrieves the signature 
with the help of the third party. Otherwise, B has the required signature 
and sends Zh to A. 

7. A verifies that ub = If this is satisfied, A has the required signature on 
tub ■ Otherwise, A retrieves the signature with the help of the third party. 

Please consult [ASW98] for details on verifiable encryption and a detailed proof 
of security. In the following the security of the protocol is described informally. 

If both parties follow the protocol, they will end up getting each others 
signature. The interesting thing is what happens if something goes wrong. Up 
to and including Step 3 neither A nor B has revealed their respective signature. 
Thus after a failure nothing has to be done. The same is true if A’s proof in 
Step 4 is rejected. So let’s consider failures in Step 5, 6 and 7. 

A failure in Step 7 means that B got A’s signature, but A did not get B's. 
Now A can bring the encryption of Zb to T and get the decrypted value. T 
can do this without introducing security holes, as B would only have sent the 
encryption oi zb if he had received a correct encryption of za (hence T can help 
B if necessary). 

A failure in Step 6 means that both A and B have received correct encryptions 
of Zb and respectively. In this case, they will be able to get the decryptions 
from T. However, in order to get za, B must supply zb so that A can get it in 
case B (being dishonest) claimed this error after getting the encryption of za in 
Step 4. 

A failure in Step 5 means that A has provided a correct encryption of za, but 
B did not send one to A. Since B can get za from T by using the mechanism 
handling failures in Step 6 there are two possibilities, when A shows up at T : 

— li B has not requested za, T can mark the exchange as aborted, and will 
never send za to B (if at some previous point A has requested za, T will 
not mark the protocol as aborted). 

— If H at some point has requested za then T can immediately send zb to A 
(as B had to supply it). 

6 Electronic Payments 

Payment systems allowing a person to pay electronically to another person are 
essential for electronic commerce. As a result a large number of (Internet) pay- 
ment systems have recently been developed. It is out of the scope of this paper to 
describe all these systems. In stead a general model is presented and a few con- 
structions of electronic cash are discussed, as these have drawn most attention 
in the cryptographic community. 
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6.1 Model 

The following model is based on [AJSW97]. Electronic payments involve four 
parties (or roles, as one entity in principle can play different roles). These are 

— the payer, 

— the payee (receiving the money) 

— the issuing bank (the bank or financial institution of the payer) 

— and the acquiring bank (bank or financial institution of the payee) 

In a clean payment system structure, the payer will only have to deal with the 
issuer and payee, while payee only has to deal with the payer and the acquirer. 
Thus we have relations as depicted in Figure 4. 




Fig. 4. Model of electronic payments 



Most payment systems adhere to this model, but there are exceptions (e.g., 
some flows suggested by [FST95], and some options in [IBM], where the payer 
can contact the acquirer or the payee may have to contact the issuer). 

Based on this model a number of different types of payment systems are 
possible. 

Cash-like systems These are prepaid systems in which the user gets electronic 
tokens representing money from the issuer. 

Account based systems Here the payer sends a token to the payee, which 
allows the acquirer, when the payee deposits it, to move the amount from 
the account of the payer to that of the payee. Credit-card payments and 
electronic cheques are common examples of such systems. 

Indirect payment These are systems, where the payer instructs his bank di- 
rectly to transfer money to the account of the payee. Such systems are typ- 
ically applied from homebanking applications, where the payer initiates the 
payment, but they can also be initiated by the payee (based on agreements 
with the payer). 

In the following we focus on cash- like systems, but first a few words on the 
principles of account based payment systems. These roughly work as follows 
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given any digital signature scheme. During set-up the user is given a certificate 
from the issuer on the public key-pair used to sign payment messages. The issuer 
uniquely links this key-pair to the (account of the) payer. A payment is simply 
a signed message enabling the acquirer to transfer the paid amount from the 
account of the payer to that of the payee. In SET encryption measures are 
provided, which makes it possible to tunnel credit card information from the 
payer to the acquirer through the payee, in such a way that the payee cannot 
read this information (see [MV97] for more details on SET). Electronic cheques, 
which provide an electronic equivalent of paper cheques, is another example of 
an account based system (see [FST95,Cry]). 

6.2 Cash-like Payment Systems 

In a cash-like system, the payer withdraws electronic money at the issuer. During 
payment some of this is transferred to the payee (this may happen as part of a 
protocol in which a number of messages are exchanged), and finally the payee 
can deposit the received money at the acquirer. Clearing between issuer and 
acquirer takes place afterwards. 

As these systems resemble normal cash much effort has been put into the 
construction of such schemes supporting the same properties that real cash en- 
joys. In particular real cash can be used anonymously and it can be transferred 
between users (i.e., the payee can use received acting as a payer in another pay- 
ment [CP93]). Furthermore, being prepaid, cash-like systems will only be used 
for minor amounts, and operating them should therefore be inexpensive and 
preferably fast (in terms of communication as well as computation) . 

As electronic cash can be authenticated (guaranteed) using digital signatures, 
the main security problem is to prevent forgeries through copying. There are 
basically two solutions to this: 

— prevent copying using secure hardware (smart cards); 

— prevent usage of copied cash by on-line queries to a central server. 

For anonymous payments (and privacy protecting transactions in general) it 
is important to identify the level of anonymity offered. In order to define these 
properly, it is necessary to use the notion of a view as introduced by [GMR89]. 
We refer to [GMR89] for a formal definition and introduction of protocols and 
views. Informally, the view of a party involved in the execution of some protocol 
consists of 

~ All inputs given to that party. 

— All messages received during the execution of the protocol. 

— All random bits used by that party. 

In principle one could add ’’All message sent by that party”, but as these mes- 
sages can be computed from the view defined above, they are usually excluded. 

In the definition below both unconditional and computational anonymity is 
considered. The term ’’not feasible” means that under some cryptographic as- 
sumption (e.g., the difficulty of factoring) the required task cannot be done, while 
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’’not possible” means that it cannot be done no matter how much computing 
power is available. 

A protocol provides untraceability for a party, A, if given the view of one 
execution of the protocol with A it is not possible (feasible) to identify A (the 
execution can not be traced to A). 

A protocol provides unlinkahility for a party, A, if it provides untraceability 
and given all views of all other parties executing that protocol with A it is not 
possible (feasible) to see which views originate from an execution with the same 
party. 

Obviously, a protocol only providing untraceability may not protect the 
anonymity of A, since linking all A’s transactions together may identify A 
uniquely. 

In the following we describe two prepaid systems providing unconditional 
anonymity, one on-line and one off-line. Both schemes are based on blind signa- 
tures, which are briefly explained next. 

6.3 Blind Signatures 

As introduced in [Cha83] blind signatures enables a signer to sign a message 
without seeing the message. More precisely, if the signer makes n signatures for 
some n > 0 and later sees n pairs (m^, Ui) where is the signature on mi then 
the signer is not able to tell when he made any of these signatures. 

At first, blind signatures seem like an odd idea, as we all learn to read docu- 
ments carefully before signing them. However, blind signatures are intended to 
be used for anonymous electronic money. The idea is that a bank issuing elec- 
tronic coins (or cheques) can sign these using a blind signature scheme. When 
the money has been spent and the recipient of the coin wants to deposit it, 
the acquirer can tell that the coin is valid (because of the signature), but the 
coin does not contain information which allows the issuer, acquirer and payee 
together to tell who originally withdrew it. 

The most famous example of blind signatures is based on RSA. With the 
notation from the introduction this works as follows. In order to get a blind 
signature on a message, to, the signer is requested to sign the number b = 
r^TL{m) mod n, where r is chosen at random. Thus the signer computes and 
returns b'^ mod n, from which the required signature, can be computed 

as {b^)/r mod n. 

6.4 On-Line Coin System 

Given any blind digital signature scheme (e.g., based on RSA as described above) 
an on-line coin system works as follows (see [Cha83]): 

Withdrawal During withdrawal the payer gets a number of coins from the 
issuer. Each coin is represented by the issuer’s signature, cr on TLim), where 
TO is a random message selected by the payer. Different coins (denominations) 
can be implemented using different key-pairs at the issuer (as described in 
the certificate of the issuer). 
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Payment During payment of a coin the payer simply sends (to, a) to the payee. 
The payee asks the acquirer if the received coin can be accepted (to ensure 
that it is not a copy of a previously spent coin) before accepting or rejecting 
the payment. 

Deposit Done during the payment transaction. 

Since the issuer when making a blind signature can get no (Shannon) infor- 
mation about (to, fj) the payment system provides unconditional unlinkability. 

6.5 Off-Line Coin System 

In the above system, the on-line query during the payment is necessary to prevent 
that coins are spent more than once. In an off-line system it is not possible to 
prevent such double-spending by cryptographic means alone (secure hardware is 
needed). In stead [CFN90] suggested to enable identification of double-spenders 
after the fact. Thus honest users are anonymous, while cheaters can be identified. 
This can for example be done as follows based on RSA ([Bra94,Bra95,BBC“''94] 
present different schemes based on other blind signature schemes): 

Withdrawal During withdrawal the payer prepares 2k messages of the form 
H{mi)\\H{mi © Id) for z = 1, 2, . . . , 2k, where Id is a unique identifier of the 
payer, and A: is a security parameter. Each of these 2k message are blinded 
using a random number (as in Section 6.3) and sent to the issuer. 

The issuer request to get (to^, to^ (B Id) plus the corresponding blinding fac- 
tors, Ti for k values of i. If all these are correct, the bank is assured that 
most of the remaining messages are also constructed correctly, and these are 
signed. 

From the signature of the bank the payer can get a blind signature on each 
unrevealed message H{mi)\\H{mi © Id). 

Payment The payee selects a random fc-bits challenge, (ci , C 2 , . . . , Cfc) and sends 
it to the payer. The payer responds with {mi,'H{mi © Id)) if = 0 and 
'H{mi)\\{mi ©7c?) if Ci = 1. The payee then verifies that the k signatures are 
correct. 

Deposit During deposit the payee sends the received signed messages (plus 
signature) and the challenge to the acquirer. 

The acquirer looks up if this coin has been used before. If they have been 
used with a different challenge c' then Ci ^ c( for some i and hence the 
acquirer has both rui and TOj © 7c? and knows the identity of the payer. 

If the payer does not cheat it is not feasible to identify the payer unless preimages 
of 77 can be inverted. Please consult [CFN90] on how unconditional anonymity 
can be achieved. 

6.6 Micropayment 

The above systems require verification of at least one signatures during each 
payment. This may not be sufficiently efficient in systems requiring many pay- 
ments of small amounts (in particular if this is done on a smart card). Such 
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payments can for example be made efficiently using the technique mentioned in 
Section 5. During payment the payer sends to the payee a„ = 7f"(ao) as well 
as a signature on a„ guaranteeing that a„ presents some value (say n = 100 
and the total value is 10 dollars). After the payee has validated this signature, 
the payer can make a number of successive payments of 10 cents by sending the 
number a„_i = 7i"“*(ao)for the z’th payment. The payee only needs to remem- 
ber the last value received. Validation of the I’th payment consists of verifying 
that H{an-i) = an-(i-i), which can be done very efficiently. 

Development of efficient schemes for micropayment has received considerable 
attention recently. Other schemes are given in [DEC, .1097]. 

7 Conclusion 

This paper has introduced the most widely applied digital signature schemes and 
discussed some applications of these related to electronic commerce. The security 
of the various protocols and mechanisms has only been described informally. As 
sound cryptographic design requires proofs based on acceptable cryptographic 
assumptions the reader is strongly encouraged to consult the original papers for 
full proofs of the security. 
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Abstract. This paper describes the state of the art for cryptographic 
hash functions. Different dehnitions are compared, and the few theoreti- 
cal results on hash functions are discussed. A brief overview is presented 
of the most important constructions, and some open problems are pre- 
sented. 



1 Introduction 

Hash functions are well known in computer science. They compress a string of 
arbitrary length to a string of fixed length and are used to allocate as uniformly 
as possible storage for the records of a file. For cryptographic applications, addi- 
tional security requirements are necessary: informally, one requires that they are 
hard to invert, and (in most cases) that it is hard to find colliding inputs. This 
is achieved by creating a mapping that associates to an input string a ‘randomly 
looking’ output string (note that formally this makes no sense, as hash functions 
are deterministic mappings). As a consequence of these properties, hash func- 
tions create a ‘unique’ relationship between the input and the hash value; there 
are of course many inputs corresponding to a single output, but it is hard to 
identify these. 

Cryptographic hash functions can be used to protect the integrity of large 
amounts of information (such as the content of a hard disk, a set of financial 
transactions, a software program) by the integrity of a short string, the hash 
result. This protection can be achieved by digitally signing this short string [31], 
or by writing down the string on a piece of paper that is stored in a secure place. 
This is analogous to conventional message encryption, that replaces the secrecy 
of a large amount of information by the secrecy (and authenticity) of a secret 
key; typically this key is much shorter than the message. 

Hash functions have been used (and sometimes abused) for many other cryp- 
tographic applications. Examples include 

— the protection of pass-phrases (where the image of the pass-phrase under the 
hash function is stored in the computer, rather than the pass-phrase itself); 
~ the commitment to a string without revealing it (see Damgard et al. [27]). 
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— the construction of Message Authentication Codes (MACs), by introducing 
in the hash function a second parameter that is kept secret [5,7,70]; 

— key derivation, for example to derive session keys from a transaction number 
and a master key. 

The last two applications assume that the hash function keyed by a second 
parameter yields a pseudo-random function, or a mapping that is hard to pre- 
dict. Hash functions have also been used to instantiate ‘random oracles’ [9]; this 
requires even stronger properties. 

The remainder of this paper is organized as follows. Section 2 presents the 
definitions and Sect. 3 discusses generic constructions and security results. Spe- 
cific constructions are treated in Sect. 4, while conclusions and open problems 
are presented in Sect. 5. 

2 Definitions 

One distinguishes between hash functions that have only a single input, and 
hash functions that have a second input. The first type are sometimes called 
MDGs or Manipulation Detection Codes; many authors refer to this type simply 
as cryptographic hash functions, or even hash functions. If the second parameter 
is secret, one calls these functions keyed hash functions; an important subclass 
are MACs or Message Authentication Codes. Finally the second parameter can 
also be public; examples in this class are the UOWHFs or Universal One-Way 
Hash Functions. 

Note that one should not confuse hash functions with checksums that are 
used for error detection or correction (such as the well known Cyclic Redundancy 
Checks or CRCs). 

First we define one-way hash functions (OWHF) and collision resistant hash 
functions (CRHF). Both classes of hash functions are studied in this paper. Then 
we look at some related concepts, namely message authentication codes (MACs), 
universal one-way hash functions (UOWHFs) and universal hash functions. 

In the following the hash function will be denoted with h, and its argument, 
i.e., the information to be protected with x. The image of x under the hash 
function h will be denoted with h{x). It will be assumed that the description of 
the hash function h is publicly known, and that it does not require any secret 
information (except for the optional parameter, which may be secret). A second 
assumption is that given the inputs, the computation of the hash result must be 
“easy. ” 



2.1 One-Way Hash Function (OWHF) 

The concept of one-way hash functions was introduced by Diffie and Heilman 
in [31]. The first informal definition was apparently given by Merkle [59,60] and 
Rabin [73]. A one-way hash function is a function h satisfying the following 
conditions: 
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1. The argument x can be of arbitrary length and the result h(x) has a fixed 
length of n bits (with n > 64 . . . 80). 

2. The hash function must be one-way in the sense that given a y in the image 
of h, it is “hard” to find a message x such that h{x) = y (preimage resistant) 
and given x in the domain of h and h(x) it is “hard” to find a message x' ^ x 
such that h{x') = h{x) (second preimage resistant). 

Note that this last condition (finding a second preimage is “hard”) differs from 
the intuitive concept of one-wayness, namely that it is “hard” to find a preimage 
X given only h and the value of h(x). It is clear that for permutations or injective 
functions only preimage resistance is relevant. The relation between preimage 
resistance and second preimage resistance is discussed in [58,67]. 

The above definition is only informal. For example, one should specify the 
distribution that is used to select y respectively a;, and specify what “hard” 
and “easy” means. The definition should also take into account that one can 
always invert functions with a small range (by exhaustive search) and that one 
can always precompute the function in a small set. There are many ways to 
formalize the definition, and it is a non-trivial exercise to show which of these 
are equivalent. 

For a formal definition, we need to specify a model of computation. Rather 
than probabilistic Turing machines (that are used traditionally in cryptogra- 
phy), we will follow here Bellare and Rogaway [10] and use the RAM model 
including pointers (see for example [22]); execution time is measured with re- 
spect to that model. An adversary is a program for this model, written in some 
fixed programming language. The adversary has access to random bits.^ The 
running time includes the actual execution time and the length of the program 
description. 

The set of all integers will be denoted with N. The alphabet considered is 
the binary alphabet S = {0, 1}. For n € N, A" is the set of all binary strings 
of length n. The set of all strings of arbitrary length will be written as S* . The 
size of a set S is denoted with [S'] . Let h be a function with domain D = E* and 
range R = A". Note that in fact we will only consider inputs of bit length l{n), 
with l{n) a function that satisfies l{n) > n. This is not a real restriction, since it 
is not possible (in practice) to evaluate a function in inputs that are too large. 

Definition 1. A one-way hash function H is a function with domain D = 
and range R = A" that satisfies the following conditions: 

— preimage resistance: let x be selected uniformly in D and let M be an adver- 
sary that on input h{x) uses time < t and outputs M{h{x)) G D. For each 
adversary M , 

Pr {h{M{h{x))) = h{x)} < e. 

xGD 

Here the probability is also taken over the random choices of M . 

Returning a random integer in the interval [1, n] takes time 0(logn). 
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— 2nd preimage resistance: let x he selected uniformly in and let M' be 

an adversary that on input x uses time < t and outputs x' G D with x' ^ x. 
For each adversary M' , 

Pr {M'(x) = h{x)} < e. 

x£D 

Here the probability is also taken over the random choices of M' . 

The above definition is only meaningful if t/e is large; it is clear that t/e < 2”. 
One can specify a constant as required by a given application. 

Note that this model does not take into account precomputation, which can 
be used to speed the computation of many preimages (as for example in Heilman 
[49]). 

2.2 Collision Resistant Hash Function (CRHF) 

The fact that a function is one-way does not mean that it is hard to find two 
colliding inputs; it will be shown in Sect. 3.2 that the effort to find a collision is 
only the square root of the effort to find a (2nd) preimage. This motivates the 
definition of a collision resistant function as a separate primitive. Note that some 
authors call this a collision free hash function [24,25,26], or a collision intractible 
hash function [89]. 

The first formal definition of a CRHF was given by Damgard [24,25]. An 
informal definition was given by Merkle in [60]. A collision resistant hash 
function is a function h satisfying the following conditions: 

1. The argument x can be of arbitrary length and the result h(x) has a fixed 
length of n bits (with n > 128 . . . 160). 

2. The hash function must be one-way, i.e., preimage resistance and second 
preimage resistant. 

3. The hash function must be collision resistant: this means that it is “hard” 
to find two distinct messages that hash to the same result. 

Finding a second preimage cannot be easier than finding a collision: therefore 
the second preimage condition in this definition is redundant. However, preim- 
age resistance is not necessarily implied by collision resistance (note that it is 
required for certain applications). Damgard provides some definitions and con- 
ditions under which collision resistance implies preimage resistance [26]; see also 
Gibson’s comment in [42]. 

Formalizing a collision resistant hash function is not as straightforward as 
formalizing a one-way hash function. One cannot specify that there should not 
exist an adversary that outputs a collision: since there are many colliding inputs 
that are very short, there will be many efficient adversaries that can output a 
pair of inputs that collide under x (just include two such inputs in the code). 
The way out of this problem is to define collision resistance as the property of 
a family TL of hash functions, that is, a set of functions indexed by a parameter 
S. For simplicity, it will be assumed that S is taken from the parameter space 
A®. Thus is a mapping from D x A® — > R, and an individual function in this 
family is denoted with hs '■ D ^ R. 
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Definition 2. A collision-resistant hash function Ti. is a function family with 
domain D = and range R = that satisfies the following conditions: 

— the functions hs are preimage resistant and second preimage resistant (cf. 
Definition 1). 

— collision resistance: let F he a collision string finder that on input S S 

uses time < t and outputs either or a pair x, x' € with x' ^ x such 

that hs{x') = hs{x). For each F, 

Pr{F(7t)^ 

Here the probability is also taken over the random choices of F. 

Again this definition is only meaningful if t/e is large; it will follow from Sect. 3.2 
that an upper bound is 2.24 • 2"/^. 



2.3 Universal One-Way Hash Function 

The concept of a UOWHF was introduced by Naor and Yung [64]. In [10], Bellare 
and Rogaway give a concrete definition (rather than an asymptotic one) and 
study practical constructions for this primitive under the name ‘target collision 
resistant hash functions.’ 

Definition 3. A universal one-way hash function TC is a function family 
with domain D = and range R = Y", that satisfies the following condition: 

— Let F' = {FIjF^) he an adversary. F{ is run first; it is an algorithm that 
produces x and possibly some state information; this information is passed 
on to F^. Algorithm F^ is given S, x and the state information and outputs 
either or an x' ^ x such that hs{x') = hs{x). 

For each F' that runs in time < t ( that is, the sum of the running times of 
F[ and F^), 

Pi{FfH) ^ “?”} < e. 

Here the probability is also taken over the random choices of F' . 

The main difference with collision resistance is that here the input x is fixed 
first, and then the parameter S is chosen. This implies that finding collisions for 
a given value of S does not help an attacker. 

Naor and Yung show that a UOWHF can be used to build a digital signa- 
ture scheme [64]. Rompel [78] developed a (very inefficient) construction for a 
UOWHF based on any one-way function; in this way he reduces a digital signa- 
ture scheme to a one-way function, which is the weakest possible assumption. A 
UOWHF can replace a CRHF in a digital signature scheme if the signer does 
not intend to repudiate her signatures (see also Sect. 3.2). 
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2.4 Message Authentication Code (MAC) 

Message Authentication Codes have been used for a long time in the banking 
community. However, MAC algorithms with good cryptographic properties were 
only introduced in the late 1970s. The first reference to a MAC algorithm is a 
1972 patent application by Simmons et al. (reference 10. in [81]). 

Definition 4. A MAC algorithm is a function h satisfying the following con- 
ditions: 

1. The argument x can he o/ arbitrary length and the result /lic(x) has a fixed 
length of n bits (with n > 32 ... 64/ 

2. Given h and x, it is “hard” to forge a MAC on a new message, that is, 
to determine hnix) with a probability of success “significantly higher” than 
1/2". Even when many pairs {xi, hx{xi)} are known, where the Xi have been 
selected (sequentially) by the opponent, it is “hard” to compute hnix') for 
any x' ^ Xi. 

The last attack is called an adaptive chosen text attack. One distinguishes be- 
tween forgery attacks and key recovery attacks: a forgery allows to determine 
the MAC on a new message; a key recovery attack is much more serious as it 
allows to forge the MAC for an arbitrary message. 

The exact security of a MAC algorithm can be expressed in terms of the 
running time t of the adversary, the number of known and (adaptively) chosen 
texts an adversary has access to, and the probability of success e of the forgery 
attack (see e.g., [7]). 

A MAC algorithm can be used for message authentication between a sender 
and a receiver who share a secret key K. In order to protect a message, the 
sender applies the MAC algorithm to the message and appends the resulting 
string to the message. On receipt of the message, the receiver recomputes the 
MAC and verifies that it corresponds to the transmitted MAC value. An active 
eavesdropper Eve can modify the message, but as she does not know the secret 
key, she cannot predict the MAC value for the modified message. 



2.5 Universal Hash Functions 

Universal hash functions are combinatorial objects, which implies that they can 
be defined without using a model of computation. They were introduced by 
Carter and Wegman [15,86], who show that they can be applied to efficient un- 
conditionally secure message authentication. In this way they found practical 
constructions for the authentication codes introduced by Simmons in the 1970s 
[80]. The first published reference to authentication codes is Gilbert et al. [44]. 
Other applications of universal hash functions include interactive proof systems, 
pseudo-random number generation, complexity theory, and probabilistic algo- 
rithms. 

A universal hash function is a mapping from a finite set A with size a to a 
finite set B with size b. For a given hash function h and for a pair (x,x') with 
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X ^ x' the following function is defined: 

h{x) = h{x') 

Oh{x,x ) otherwise. 

As above, a finite set of hash functions will be denoted family Ti of hash func- 
tions. Now 5n{x, x') is defined as ^h{x, x'), or 5n{x, x') counts the number 

of functions in for which x and x' collide. If a random choice of h is made, 
then for any two distinct inputs x and x' , the probability that these two inputs 
yield a collision equals 5u{x,x')/ \H\. For a universal hash function, the goal is 
to minimize this probability together with the size of TL. 

Definition 5. Let e he any positive real number. An e-almost universal family 
(or e-AU family) TL of hash funetions from a set A to a set B is a family of 
functions from A to B such that for any distinct elements x,x' € A 

\ {h € H : h{x) = h{x')} \ = S-h(x, x') < e ■ \TL\ . 

This definition states that for any two distinct inputs the probability for a colli- 
sion is at most e. In [15] the case e = 1/6 is called universal (the smallest possible 
value for e is (a — b)/b{a — 1)). 

Definition 6. Let e be any positive real number. An e-almost strongly uni- 
versal family (or e-ASU family) TL of hash functions from a set A to a set B is 
a family of functions from A to B such that 

— for every x G A and for every y G B, \ {h G TL : h{x) = y} \ = \TL\ /b, 

- for every Xi,X 2 G A (xi ^ X 2 ) and for every yi,p 2 G B (yi ^ 2 / 2 /, 
\{hGTL'. h{xi) = yi,h{x 2 ) = 2 / 2 } | < e- \TL\ /b. 

The first condition states that the probability that a given input x is mapped to 
a given output y equals 1/6. The second condition implies that if x\ is mapped 
to yi, then the conditional probability that X 2 (different from x\) is mapped to 
j /2 is upper bounded by e. The lowest possible value for e equals 1/6 and this 
family has been called strongly universal functions in [86]. Stinson shows that 
for this family the first condition in the definition follows from the second one 

[83]. 

An e-almost strongly universal hash function family can be used in a similar 
way as a MAC algorithm. The secret key K chooses a function in the family; 
unlike the key for a MAC algorithm, the key can serve to authenticate a single 
message only. An e-almost universal hash function family can also provide mes- 
sage authentication, but in addition its result needs to be encrypted (for example 
using a one-time pad). 

3 Generic Constructions and Attacks 

First a general model is presented for iterated hash functions. Next generic at- 
tacks are described, that is, attacks that are independent of the specific details of 
the hash function. This section is concluded with a discussion of generic security 
results for hash functions. 
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3.1 A General Model for Iterated Hash Functions 

Most known hash functions are based on a compression function with fixed size 
inputs; they process every message block in a similar way. Lai and Massey call 
this an “iterated” hash function [-55] . The information is divided into t blocks xi 
through xt- If the total number of bits is not a multiple of the block length, the 
information is padded to the required length (using a so-called padding rule). 
The hash function can then be described as follows: 



Ho = IV 

= f{xi,Hi_i) z = l,2,...t 
h{x) = g{Ht) . 

The result of the hash function is denoted with h{x) and IV is the abbreviation 
for Initial Value. The function / is called the round function or compression 
function, and the function g is called the output transformation. It is often omit- 
ted (that is, g is often the identity function). Two elements in this definition 
have an important influence on the security of a hash function: the choice of the 
padding rule and the choice of the IV. It is recommended that the padding rule 
is unambiguous (i.e., there do not exist two messages that can be padded to the 
same padded message); at the end one should append the length of the message; 
and the IV should be defined as part of the description of the hash function 
(this is called MD-strengthening after Merkle and Damgard) . In some cases one 
can deviate from this rule, but this will make the hash function less secure and 
may lead to trivial collisions or second preimages. 

An alternative model is a tree structure, that allows for increased parallelism 
and may result in different security conditions for the round function (see also 
Sect. 3.3). For the time being it is rarely used in practice. 

The general model for MAC algorithms is similar to that of MDCs; the use of 
an output transformation is more common here. Bellare and Rogaway [10] show 
that the above model does not work for a UOWHF, and they introduce a different 
approach. Earlier Naor and Yung developed a different iterated construction for 
a UOWHF in [64]. 



3.2 Generic Attacks 

This section gives an overview of the known general attacks methods on MDCs. 
A first class of attacks depend only on the size of the parameters, and not on the 
specific hash function. The second class depends on the properties of the round 
function /. 

This taxonomy can be helpful to understand the security results presented in 
Sect. 3.3, but can also serve as a caveat for designers and users of hash functions. 



Attacks Independent of the Algorithm These attacks depend only on the 
size n in bits of the hash result, and are independent of the specific details of 
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the algorithm. It is assumed that the MDC approximates a random function: 
if this is not the case this class of attacks will be even more successful. For the 
time being 2^^ operations is considered to be on the edge of feasibility. In view 
of the fact that the speed of computers is multiplied by four every three years 
(this is one of the formulations of Moore’s law), operations is sufficient for 
the next 5 to 10 years, but it will be only marginally secure within 15 years. For 
applications that require protection for 20 years, one should try to design the 
hash function such that an attack requires at least 2®° operations. 

Random (2nd) Preimage Attaek. The opponent selects a random message and 
hopes that a given hash result will be hit. If the hash function has the required 
“random” behavior, his probability of success equals 1/2" with n the number of 
bits of the hash result. This attack can be carried out off-line and in parallel, 
which means that n should be at least 64. 

If a significant number of messages can be attacked simultaneously, it is ad- 
visable to select a larger value of n. In that case it is preferable to use a UOWHF 
rather than a simple OWHF : as every instance will have a different parameter, 
this prevents an attacker from amortizing his effort over many targets. 

Birthday Attack. The birthday paradox states that for a group of 23 people, 
the probability that at least two people have a common birthday exceeds 1/2. 
Intuitively one expects that the probability is much lower. However, the number 
of pairs of people in such a group equals 23-22/2 = 253. This can be exploited to 
find collisions for a hash function as follows: an adversary generates ri variations 
on a bogus message and T 2 variations on a genuine message. The expected num- 
ber of collisions equals r\ ■ r^jn. The probability of finding a bogus message and 
a genuine message that hash to the same result is given by 1 — exp(— ri • 7 - 2 / 2 "), 
which is about 63% when r = ri = r 2 = 2'2 . Finding the collision does not re- 
quire r^ operations: after sorting the data, which requires 0{r log r) operations, 
comparison is easy. This attack was first pointed out by Yuval [87] . 

One can reduce the memory requirements for collision search by translating 
the problem to the detection of a cycle in an iterated mapping. Indeed, any 
mapping that is iterated on a finite set will eventually repeat, i.e., it will enter 
a cycle. If the mapping is a random mapping (rather than a permutation), the 
entry point to the cycle corresponds to a collision for the function (this algorithm 
fails if the starting point belongs to the cycle, but this event has a negligible 
probability). The detection of a cycle does not require storing all the values; 
for example, the technique of distinguished points can be used (one only stores 
special points, for example those points beginning with 30 zero bits). Cycle 
detection techniques were first applied to collision search by Quisquater [71]. 
The expected number of function evaluations of his algorithm is 2^ -k j2-2 ^ ; the 
storage requirements are negligible. In [85], van Oorschot and Wiener propose an 
efficient parallel variant of this algorithm: the speed-up is linear with the number 
of processors. They estimate that with a 10 million US$ machine, collisions for 
MD5 (with n = 128) can be found in 21 days (in 1994). In order to make a 
collision search infeasible, n should be at least 160 bits. 
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For digital signatures, hash functions need to be collision resistant since oth- 
erwise one can sign one message and later claim to have signed a different mes- 
sage, or be held accountable for a different message. There is no way to prevent 
a sender from performing this attack, although the occurrence of two messages 
that hash to the same value might make him suspect. Outsiders can perform the 
same attack if they can convince the signer to sign a message of their choice. The 
sender can protect himself through randomizing the message just prior to signing 
(or by randomizing the hash function as is done for a UOWHF, cf. Sect. 2.3). 



Attacks Dependent on the Chaining This class of attacks depends on some 
high level properties of the compression function /. 

Meet-in- the- Middle Attack. This attack is a variation on the birthday attack, 
but instead of comparing the hash results, one compares intermediate chaining 
variables. The attack enables an opponent to construct a (2nd) preimage, which 
is not possible for a simple birthday attack. The opponent generates ri variations 
on the first part of a bogus message and T 2 variations on the last part. Starting 
from the initial value and going backwards from the hash result, the probability 
for a matching intermediate variable is again given by 1 — exp(— ri • T2/2”). The 
only restriction that applies to the meeting point is that it cannot be the first or 
last value of the chaining variable. The cycle finding algorithm has been extended 
by Quisquater to perform a meet-in-the-middle attack with negligible storage 
[72]. The attack can be precluded by avoiding functions / that are invertible 
to the chaining variable and to the message Xi (see also Theorem 1 in 

Sect. 3.3). 

Further extensions of this attack have been proposed by Coppersmith [19] and 
Girault et al. [46] to break p-fold iterated schemes, i.e., weak schemes with more 
than one ‘pass’ over the message as proposed by Davies [28]. Other extensions 
take into account additional constraints on the message. 

Fixed Point Attack. The idea of this attack is to look for an Hi-i and Xi such 
that f{xi,Hi-i) = If the chaining variable is equal to it is possible 

to insert an arbitrary number of blocks equal to Xi without modifying the hash 
result. Producing collisions or a second preimage with this attack is only possible 
if the chaining variable can be made equal to this is the case if IV can 

be chosen equal to a specific value, or if a large number of fixed points can be 
constructed (e.g., if one can find an Xi for a significant fraction of Hi-i’s). Of 
course this attack can be extended to fixed points that occur after more than one 
iteration. This attack can be made more difficult by appending a block count 
and by fixing IV (MD-strengthening, see Sect. 3.1). 



3.3 General Security Results 

Research on hash functions has focussed on the question: which properties should 
be imposed on / to guarantee that h satisfies certain properties? Two partial 
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answers have been found to this question. The first result by Lai and Massey 
[55] gives necessary and sufficient conditions for / in order to obtain an “ideally 
secure” hash function h, that is, a hash function for which finding a preimage 
takes time 0(2"). 

Theorem 1 (Lai— Massey). Assume that the padding contains the length of the 
input string, and that the message x (without padding) contains at least 2 blocks. 
Then finding a second preimage for h with a fixed IV requires 2" operations if 
and only if finding a second preimage for f with arbitrarily chosen Hi-\ requires 
2" operations. 

Necessity of the condition is based on the following argument: if one can find 
a second preimage for / in 2® operations (with s < n), one can find a second 
preimage for h in operations with a meet-in-the-middle attack (cf. 

Sect. 3.2). 

A second result by Damgard [26] and independently by Merkle [60] states 
that for /i to be a CRHF it is sufficient that / is a collision resistant function. 

Theorem 2 (Damgard— Merkle). Let f be a collision resistant function map- 
ping I to n bits (with I — n > 1). If an unambiguous padding rule is used, the 
following construction yields a CRHF: 

H, = /(0"+i II xi) 

H, = f{H,_i\\l\\x^) fori = 2,3,...t. 

Here || denotes the concatenation of binary strings. The construction can be 
improved slightly,^ and extended to the case where I = n + 1, at the cost of 
an additional assumption on / (see [26] for details and Gibson’s comment in 
[42]). It can also be extended to a tree construction, which allows for increased 
parallelism [26]. 

We conclude this section with two other general results on the theory of hash 
functions. Damgard has showed in [25] that a collision resistant hash function 
can be constructed if claw- free permutations exist; Russell has slightly weakened 
this requirement to the existence of claw-free pseudo-permutations [79] (pseudo- 
permutations are functions that cannot be distinguished from permutations). 
Recently Simon [82] has provided a motivation to treat collision resistant hash 
functions as independent cryptographic primitives. He showed that no provable 
construction of a CRHF exists based on a “black box” one-way permutation, 
i.e., a one-way permutation treated as an oracle. 

4 An Overview of Constructions 

This section briefly discusses three types of MDGs: MDGs based on a block 
cipher, MDGs based on algebraic structures (modular arithmetic, knapsack, and 
lattice problems), and custom designed MDGs. For a more detailed discussion, 
the reader is referred to [67,68]. 

One can get rid of the extra “0” and “1” bits. 
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4.1 MDCs Based on a Block Cipher 

Several arguments can be given for designers of hash functions to base their 
schemes on existing encryption algorithms. The first argument is purely histor- 
ical: DES [37] was the first standard commercial cryptographic primitive that 
was widely available; it seemed natural to construct hash functions based on this 
block cipher. A second argument is the minimization of the design and imple- 
mentation effort: hash functions and block ciphers that are both efficient and 
secure are hard to design, and many examples that support this view can be 
found in the literature. Moreover, existing software and hardware implementa- 
tions can be reused, which will decrease the cost. The major advantage however 
is that the trust in existing encryption algorithms can be transferred to a hash 
function. The main disadvantage of this approach is that custom designed hash 
functions are likely to be more efficient. This is particularly true because hash 
functions based on block ciphers require a key change after every encryption. 
Finally note that block ciphers may exhibit some weaknesses that are only im- 
portant if they are used in a hashing mode. One also has to take into account 
that in some countries export restrictions for block ciphers may be tighter than 
those for hash functions. 

The encryption operation E will be written as y = Ek{x). Here x denotes 
the plaintext, y the ciphertext, and K the key. The size of the plaintext and 
ciphertext or the block length (in bits) will be denoted with r, while the key size 
(in bits) will be denoted with k. In the case of the well known block cipher DES, 
r = 64 and /c = 56 [37]. The hash rate of a hash function based on a block 
cipher is defined as the number of r-bit input blocks that can be processed with 
a single encryption. 

A distinction will be made between the cases n = r, n = 2r, and n > 2r. This 
is motivated by the fact that most proposed block ciphers have a block length of 
only 64 bits, and hence an MDC with a result at least twice the block length is 
necessary to obtain a CRHF. Other proposals are based on a block cipher with 
a large key, or on a block cipher with a modified key schedule. 



Size of Hash Result Equal to the Block Length. If follows from Sect. 3.2 
that these hash functions can only be collision resistant if the block length r is 
at least 128 bits to 160 bits. Most present day block ciphers have only a block 
length of 64 bits, but the AES (Advanced Encryption Standard), which NIST 
intends to publish by 2001, will have a block length of 128 bits. 

All schemes of this type proposed in the literature have rate 1. The first 
‘secure’ construction for such a hash function was the ’85 scheme by Matyas et 
al. [57]: 

Here s() is a mapping from the ciphertext space to the key space. This scheme 
has been included in ISO/IEC 10118-2 [51], and it forms the main building block 
for other hash functions based on block ciphers. This general construction is also 
used in several custom designed hash functions (cf. Sect. 4.3). 
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It is widely believed that this mapping is hard to invert, but there is no proof 
of this. It is not even clear which assumptions have to imposed on the block cipher 
to allow for such a proof. One can apply the following intuitive reasoning: either 
one chooses the plaintext x, but then one has to find the key corresponding to 
one plaintext/ciphertext pair, which is deemed to be infeasible; alternatively, one 
chooses the key, but then one has to find for a given key a plaintext/ciphertext 
pair with a known difference, which is also believed to be difficult. Therefore it 
is conjectured that if the block cipher is ‘ideal’ (i.e., a keyed random one-way 
permutation) no shortcut attacks exist, which implies that a collision attack 
requires 6>(2'’/^) operations and a (2nd) preimage attack 0{2^) operations. 

Preneel et al. show that 12 variants exist with a similar security level; they 
can be obtained by applying an affine transformation to the inputs of two basic 
schemes [69]. Moreover, the security level of these hash functions is limited by 
min(fc,r), even if the size of some internal variables is equal to max(A:,r). One 
such variant is widely known as the Davies-Meyer scheme (the real inventors are 
probably Matyas and Meyer): 



H, = (iJ.-i) . 



It has the advantage that it extends more easily to block ciphers where key size 
and block size are different. 



Size of Hash Result Equal to Twice the Block Length. The goal of 
double block length hash functions is to achieve a higher security level against 
collision attacks. Ideally a collision attack on such a hash function should require 
2’' operations, and a (2nd) preimage attack 2^’' operations. 

A series of proposals attempted to double the size of the hash result, for 
example by iterating a OWHF ; all of these succumbed to a ‘divide and conquer’ 
attack. A large class of proposals of rate 1 has the following form: 

where Aj, B], and C] are binary linear combinations of x\, and xj 

and where A?, Bf, and Cf are binary linear combinations of Hl_^, xj, 

and Hi- The hash result is equal to the concatenation of Hi and Hf. Knudsen 
et al. showed that for all hash functions in this class, a preimage attack requires 
at most 2’’ operations, and a collision attack requires at most 2?'^ A operations 
(for most schemes this can be reduced to 2’'/^) [53]. 

The few proposals that survive till today have rate less than 1. Two important 
examples are MDC-2 and MDC-4 with hash rate 1/2 and 1/4 respectively. They 
have been designed by Bracht et al. [13], and are also known as the Meyer- 
Schilling hash functions after the authors of the first paper describing these 
schemes [63]. MDC-2 has been included in ISO/IEC 10118-2 [51] (in a more 
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general form); it can be described as follows: 

/xi) = LTl II RTl Hi = LT} || RTf 

II II ■ 

Here the variables and Hq are initialized with the values IVi and IV 2 re- 
spectively, and the hash result is equal to the concatenation of Hi and H^. The 
ISO/IEC standard does not specify the block cipher; it also requires the spec- 
ification of two mappings u, v from the ciphertext space to the key space such 
that u{IV^) yf v{IV^). The best known preimage and collision attacks on MDC- 
2 require 2^’' and 2’' operations respectively (Lai and Massey [55]). However, it 
is obvious that the compression function of MDC-2 is rather weak: preimage 
and collision attacks on the compression function require at most 2’’ and 2'’/^ 
operations (one fixes Xi and varies Hl_j^ and Hf_^ independently). 

One iteration of MDC-4 consists of the concatenation of two MDC-2 steps, 
where the plaintexts in the second step are equal to H2i-\ and H\i-\. The 
rate of MDC-4 is equal to 1/4. The best known attack to find a preimage for 
MDC-4 requires 2^’' operations. This shows that MDC-4 is probably more secure 
than MDC-2 against preimage attacks. However, a collision for the compression 
function of MDC-2 with a specified value for and Hf_^ also yields a collision 
for the compression function of MDC-4. Moreover, it has been demonstrated in 
by Preneel and Knudsen [67,54] that collisions for the compression function 
of MDC-4 can be found with encryptions and the storage of r-bit 
quantities. 

Merkle describes an interesting proposal in [60], for which he proves that 
the compression function is collision resistant based on the assumption that the 
underlying single block length scheme is secure. The simplest scheme (with rate 
1/18.3 for DES) can be described as follows: 



Hi = chop 



16 






Xi) 






{HliWx.) 



Here i7i_i is a string consisting of 112 bits, the leftmost 55 bits of which are 
denoted i7/_i, and the remaining 57 are denoted Xi consists of 7 bits only. 
The function chop^ drops the r rightmost bits of its argument. Note that this 
construction is similar to MDC-2 (but much slower). The most efficient proposal 
is more complex and use six invocations of the block cipher in two layers. Its 
hash rate is equal to 0.27 for DES. Merkle’s proof for this proposal only showed 
a security level of 2®^'® against collisions; Preneel has improved this to 2®® [67]. 

Even the schemes in this class that provide optimal security do not offer long 
term collision resistance when used with DES; this will change with AES, which 
will have a block and key length of 128 bits (key lengths of 192 and 256 bits will 
also be provided). 



Size of Hash Result Larger than Twice the Block Length. Knudsen 
and Preneel also design a collision resistant compression function, but with par- 
allel encryptions only [54]. They show how a class of efficient constructions for 



172 



Bart Preneel 



hash functions can be obtained by using non-binary error-correcting codes. Their 
schemes can achieve a provable security level against collisions equal to 2’’, 

(or more) and this with rates larger than 1/2; the security proof reduces the se- 
curity of this scheme to an assumption on the single block length hash functions. 
The internal memory of the scheme is however much larger than 2 or 3 blocks, 
which implies that an output transformation is required. 



Other Constructions. Extending earlier work by Merkle [59], Lai and Massey 
[55] propose constructions for block ciphers with a key twice as long as the block 
length (Tandem Davies-Meyer and Abreast Davies-Meyer) . Both schemes have 
rate equal to 1/2; the best known attacks for a preimage and a collision requires 
2^’' respectively 2’’ encryptions. Faster schemes in this class have been developed 
in [54]. 

Aiello and Venkatesan propose in [1] a construction to double the output of 
a random function. In order for it to be usable for hashing, one needs to define 
the key schedule of this larger ‘block cipher’. The construction by Aiello, Haber, 
and Venkatesan [2] replaces the key schedule of DES by a function from the 
MDx-family (cf. Sect. 4.3); several instances are combined by choosing different 
(fixed) plaintexts. 

4.2 MDCs Based on Algebraic Structures 

First hash functions based on modular arithmetic are considered. Next hash 
functions based on knapsack problems and lattices are presented. This section 
is concluded with a short discussion of incremental hash functions. 



MDCs Based on Modular Arithmetic. These hash functions are designed 
to use the modular arithmetic hardware that is required to produce digital signa- 
tures (for example, RSA [77]). The security of certain constructions can be based 
on the hardness of some number theoretic problems. Moreover these schemes 
are easily scalable. The disadvantage is that the underlying primitive has a rich 
mathematical structure; this can be exploited in attacks that use the homomor- 
phic structure and the fixed points of modular exponentiation (trivial examples 
are 0 and 1); one also has to ensure that no small inputs occur. 

A distinction is made between ‘ad hoc’ schemes, which have no provable 
reduction to the underlying hard problem, and provably secure schemes. Schemes 
in the first class are typically much more efficient, but many proposals have been 
broken; however, it seems that recently designers have been more conservative 
and designs survive longer. 

Schemes Without Security Reduction. Most of these schemes uses a modulus 
A, that is, the product of two large primes. The size of N in bits (denoted 
with n) is typically between 512 and 1024. These hash functions can be useful 
in combination with RSA [77] as digital signature scheme. However, this choice 
poses the following practical problem: the person who has generated the modulus 
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knows its factorization, and hence he has a potential advantage over the other 
users of the hash function. One can try to design the hash function such that 
knowledge of the factorization does not help in attacking it (this is probably 
difficult to achieve). Alternatives are to use a trusted third party to generate 
the modulus (for example, the modulus of the Certification Authority), or to 
generate the modulus using a multi-party secure computation; recently practical 
solutions for such a computation have been developed by Boneh and Franklin 
[12] and Frankel et al. [40]. 

The most efficient schemes are based on modular squaring. An additional 
argument for squaring is that any algorithm that can extract modular square 
roots is reducible to a factoring algorithm (in random polynomial time) . The best 
scheme seems to be of the following form: Hi = {xi 0 Hi-if' mod N 0 
[69]. 

ft is essential to add redundancy to the message input. The first designs for 
this redundancy were not very successful (see for example Girault [45], Girault 
and Misarsky [47], and Coppersmith [20]). ISO/lEC SC27 has developed a new 
proposal, that is currently at the Final Draft International Standard (FDIS) 
level; it is called MASH-1 (for Modular Arithmetic Secure Hash) [51]: 

Hi = {{xi 0 i7i_i) V Af (mod N) 0 

here A = OxFOO . . . 00, the four most significant bits in every byte of Xi are set to 
1111, and the output of the squaring operation is chopped to n bits. A complex 
output transformation is added, which consists of a number of applications of 
the compression function; its goal is to destroy all the remaining mathematical 
structure. The final result is at most n/2 bits. The best known preimage and 
collision attacks on MASH-1 require 2"/^ and 2"/^ operations [21]; they are thus 
not better than brute force attacks. MASH-2 is a variant of MASH- 1 which uses 
exponent 2® + 1 [51]. This provides for an additional security margin. 



Schemes With a Security Reduction. For several schemes there exists a security 
reduction to a number theoretic problem that is believe to be difficult. However, 
they are very slow: typically they hash log 2 log 2 N bits per modular squaring (or 
even per modular exponentiation) . 

Damgard provides two hash functions for which finding a collision is provably 
equivalent to factoring an RSA modulus [24]. Gibson proposes a construction 
based on the discrete logarithm problem modulo a composite [43]. A third ap- 
proach uses the discrete logarithm problem in a group of prime order p denoted 
with Gp (Bellare et al. [6], after earlier work by Ghaum et al. [18] and Brands). 
Every non-trivial element of Gp is a generator. The hash function uses t random 
elements ai from Gp (a^ yf 1). The hash result is then computed as 

t 

■ 
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Here Xi is obtained by considering the string Xi as the binary expansion of a 
number and prepending 1 to it. This avoids trivial collisions when Xi consists of 
all zeroes. 



MDCs Based on Knapsack and Lattice Problems. The knapsack problem 
(which is a special case of the subset sum problem) of dimensions n and £{n) 
can be defined as follows: given a set of n /-bit integers {oi, 02 , . . . , a„}, and an 
integer S, find a vector x with components Xi equal to 0 or 1 such that 

n 

Qi ■ Xi = S mod 2^^”^ . 

i=l 

For application to hashing, one needs n > i(n). The knapsack problem is known 
to be NP-hard; while this means that probably no feasible worst-case algorithms 
for this problem exists, this does not tell much about the hardness of a random 
instance. This problem was used in 1978 by Merkle and Heilman to construct the 
first public-key encryption system [62]. However, almost all public-key schemes 
based on the knapsack problem have been broken (see for example [65]), which 
has given the knapsack a bad reputation. The appeal of the knapsack problem 
(and related lattice based problems) lies in the fact that both hardware and 
software implementations are very fast compared to schemes based on number 
theoretic problems. Moreover, evaluation of a knapsack allows for significant 
parallelism. Finally, interesting security reductions can be proved: examples are 
the work for Impagliazzo and Naor [50] on knapsacks and that of Ajtai [3] for 
lattices; Ajtai was able to prove that if the shortest vector in a lattice problem is 
hard in the worst case, then the knapsack problem is hard on the average. How- 
ever, some researchers believe that for realistic parameters, both these problems 
are relatively easy. If they are right, knapsack and lattice problems are not useful 
to practical cryptography. 

Attacks on knapsacks often use the LLL lattice reduction algorithm [56] that 
finds the shortest vector in a lattice (the algorithm performs in practice much 
better than can be guaranteed). This reduction to the shortest vector problem 
only works for i(n) > 1.0629 • n. Knapsack problems become more difficult when 
n K, i{n); however, the performance of the hash function decreases with the 
value n — £{n). For n = •^(n), the best known attack requires time 0(2"/^) and 
space 0(2"/^). Impagliazzo and Naor summarize the state of the art in [50]. 
A different class of attacks are the algebraic attacks proposed by Camion and 
Patarin [14] and optimized by Patarin in [66]; these attacks tend to work better 
when n ^ £{n). The scheme of Damgard [26] has been broken both using LLL 
[52] and using algebraic techniques [66] . It is for the time being an open problem 
whether a random knapsack with n = 1024, I = 512, and £ = 512 is hard to 
solve. 

Impagliazzo and Naor describe an efficient construction for a UOWHF (cf. 
Sect. 2.3) and provide a reduction of its security to that of the knapsack problem 
[50]. Ajtai introduced a function that is one-way (or preimage resistant) if the 
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problem of approximating the shortest vector in a lattice to polynomial factors 
is hard [3]. Goldreich et al. have proved that the function is in fact collision 
resistant [48]. 

Several multiplicative knapsacks have also been proposed; multiplicative no- 
tation is used for non-Abelian groups. The earliest proposal dates back to ’77 
(but it was quickly shown to be insecure). A recent example are the schemes by 
Zemor [88] and Tillich and Zemor [84] . Their security is based on the hardness of 
finding short factorizations in certain groups. In some cases one can even prove 
a lower bound on the Hamming distance between colliding messages. Attacks 
on these proposals (for certain parameters) can be found in [17,41]- Impagliazzo 
and Naor also extend their construction on a UOWHF to multiplication in a 
group [-50]. 

Knapsack and lattice based hash functions have also the potential problem 
that trapdoors may be inserted when the vectors are generated. Therefore it is 
recommended that the instance generation is reproducible (for example, through 
the use of a pseudo-random string generator or a hash function) . 



Incremental Hash Functions. A hash function (or any cryptographic prim- 
itive) is called incremental if it has the following property: if the hash function 
has been evaluated for an input x, and a small modification is made to x, re- 
sulting in x' , then one can update h(x) in time proportional to the amount 
of modification between x and x' , rather than having to recompute hix') from 
scratch. If a function is incremental, it is automatically parallelizable as well. 

This concept was first introduced by Bellare et al. [6]. They also made a 
first proposal based on exponentiation in a group of prime order. Improved 
constructions were proposed by Bellare and Micciancio [8] that consist of two 
steps: 

— First the message is divided into blocks; each block (together with its index) 
is hashed using a conventional collision resistant hash function (restricted 
to fixed length inputs). This is called the ‘randomization’ step as in the 
analysis the hash function is treated as an ‘ideal’ hash function or random 
oracle (which is a very demanding requirement). 

— Next the different outputs are combined using a group operation. This can 
be a group of large prime order in which the discrete logarithm problem 
is hard, and modular addition. The first approach leads to a reduction to 
the discrete logarithm problem, while the second leads to a reduction to the 
‘weighted knapsack’ problem. 

The same techniques can also be used to improve the lattice based hash function. 
These schemes have the advantage that they are much more efficient than the 
other schemes studied in this section. However, this comes at a cost of requiring 
a collision resistant hash function, which also has to behave ‘perfectly random.’ 
This construction is remarkable, as it construct a collision resistant function 
based on a one-way property (but with specific algebraic structure, so there is 
no contradiction to the result of Simon [82] discussed in Sect. 3.3). 
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4.3 Custom Designed MDCs 

This section discusses a selection of custom designed hash functions, i.e., al- 
gorithms that were especially designed for hashing operations. Most of these 
algorithms use the Davies-Meyer approach (cf. Sect. 4.1): the compression func- 
tion is a block cipher, ‘keyed’ by the text input Xi] the plaintext is the value 
Hi-i, which is also added to the ciphertext (feedforward). 

In 1990, R. Rivest proposed MD4 [75], a hash function with a 128-bit result 
based on 32-bit integer arithmetic. While this hash function proved to be not 
sufficiently strong, the innovative design ideas have influenced many other de- 
signs. The algorithms derived from it (with improved strength) are often called 
the MDx-family. This family contains the most popular hash functions in use 
today. Dobbertin has found collisions for MD4; his attack combines algebraic 
techniques and optimization techniques such as genetic algorithms [32,33]. It 
can be extended in such a way that even ‘meaningful’ collisions are obtained: 
the complete message (except for a few dozen bytes) is under complete control 
of the attacker. His attack also applies to the compression function of ‘extended 
MD4’ [75], which consists of concatenating two loosely coupled instances of MD4. 
Later Dobbertin showed that a reduced version of MD4 (2 rounds out of 3) is 
not preimage resistant [35]. 

Following early attacks on MD4 by Merkle and den Boer and Bosselaers [29], 
Rivest quickly designed a strengthened version, namely MD5 [76]. It was how- 
ever shown by den Boer and Bosselaers [30] that the compression function of 
MD5 is not collision resistant (but their collisions are of the form = 

f{H[_^^Xi), which is not immediately usable in practice). Dobbertin has ex- 
tended his attack on MD4 to yield collisions for the compression function of 
MD5, i.e., f{Hi-i,Xi) = /(i7i_i, a;'), where he has some control over Hi-i [34]. 
It is believed that it is feasible to extend this attack to collisions for MD5 itself 
(that is, to take into account the IV). 

A second improved variant of MD4, the Secure Hash Algorithm, was proposed 
by NIST [38] in 1993. The size of the hash result is increased from 128 to 160 bits 
and the message words are not simply permuted but encoded with a shortened 
cyclic code. After a few years, NSA discovered a certificational weakness in SHA; 
apparently collisions can be found in less than 2®° operations. Consequently a 
new release of the standard was published. The new algorithm is called SHA-1 
[39]. Recently Chabaud and Joux have published an attack that finds collisions 
for SHA in 2®^ operations [16]; it is probably similar to the (classified) attack 
developed earlier that prompted the upgrade to SHA-1. 

Yet another improved version of MD4, called RIPEMD, was developed in 
the framework of the EEC-RACE project RIPE [74]. Due to partial attacks by 
Dobbertin [32], it was later upgraded by Dobbertin et al. to RIPEMD-128 and 
RIPEMD-160, that have a 128-bit and a 160-bit result respectively [36]. Variants 
with a 256 and 320-bit result have been introduced as well. Together with SHA- 
1, RIPEMD-128 and RIPEMD-160 are the three custom designed hash functions 
included in ISO/IEC 10118-3 [51]. 
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Merkle suggested in 1989 a software oriented one-way hash function called 
Snefru [61]. It is based on large random substitution tables (2 Kbyte per pass) 
and allows for a variable size of the result (128 or 256 bits). Biham and Shamir 
have shown that Snefru-128 [11] is vulnerable to differential attacks. As a con- 
sequence it is recommended to use 6 and preferably 8 passes, preferably with a 
256-bit hash result. However, these measures increase the size of the substitution 
tables and decrease the performance. 

Two of the most recent designs are Tiger and Panama. Tiger was proposed 
by Anderson and Biham [4]. It is tuned towards 64-bit processors and mixes 
Snefru-type S-boxes (8 input bits and 64 output bits) with arithmetic operations. 
Panama is a design of Daemen and Clapp [23]; it has been designed to take 
advantage of the instruction-level parallelism in modern processors. 

5 Conclusions and Open Problems 

In spite of the popularity of cryptographic hash functions, very few theoretical 
results are known in this area; it is clear that further research is necessary to 
improve our understanding of these primitives. Collision resistance seems to be a 
condition that is particularly hard to analyze. Some open problems are whether 
it is possible to construct collision resistant hash functions based on weaker 
assumptions, and whether any theory can be developed to support the current 
constructions. 

In the area of practical constructions, there is a need for more efficient hash 
functions, the security of which is better understood. For hash functions based 
on block ciphers, the main problem seems to be the assumptions on the block 
cipher. From an application viewpoint, multiplicative knapsacks seem to be very 
attractive (due to inherent parallelism and due to the fact that certain properties 
can be proved). However, further research is necessary to assess their security. 
Another research problem is to understand to which extent the current construc- 
tions provide other security properties such as pseudo-randomness and partial 
preimage resistance; both properties are related to the difficulty of inverting the 
hash function if part of the input is known. 
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Abstract. In 1982, Bennett and Brassard suggested a new way to pro- 
vide privacy in long distance communications with security based on the 
correctness of the basic principles of quantum mechanics. The scheme al- 
lows two parties, Alice and Bob, sharing no secret information in the first 
place, to exchange messages that nobody else can figure out. The only re- 
quirement is a quantum channel and a normal phone line connecting the 
two parties. The fact that quantum mechanics provides unconditional 
secure communications is a remarkable result that cannot be achieved 
by classical techniques alone. Apart from secure communication, cryp- 
tography is also interested in tasks that aim at protecting one party 
against a potentially dishonest peer. This scenario, called secure two- 
party computation, is usually modelled by a function f{xA,xs) where 
xa and xb are Alice’s and Bob’s secret input respectively. They would 
like to execute a protocol that produces 2 = /{xajXb) to both parties 
without disclosing their secret input to the other party. The only infor- 
mation about a secret input that can be leaked toward the other party 
is what the output 2 itself discloses about it. Unlike secure communi- 
cation, secure two-party computation does not assume that Alice and 
Bob are honest. One honest party’s input should remain secret what- 
ever the other party’s behaviour. It is well-known that in order to find 
a protocol for secure two-party computation, one must have access to a 
secure bit commitment scheme. Unfortunately, in 1996 Mayers showed 
that no secure quantum bit commitment scheme exists. Similarly to the 
classical case (where trapdoor one-way functions are needed) quantum 
cryptography does not provide secure two-party computation for free. In 
this paper, we discuss the possibilities and limits of quantum cryptog- 
raphy for two-party computation. We describe the essential distinctions 
between classical and quantum cryptography in this scenario. 



1 Introduction 

Quantum cryptography aims at designing cryptographic protocols with security 
guaranteed by the fundamental laws of quantum mechanics. In 1982, Bennett 
and Brassard [1] proposed two quantum protocols: Quantum key distribution 
(QKD), and quantum coin tossing. Quantum key distribution allows two par- 
ties, Alice and Bob, who share no information to agree on a common secret key 
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k G {0, 1}^ for some I > 0. Typically, once Alice and Bob share k, Alice can 
encrypt any message m G {0, 1}^ as c = m 0 k. The ciphertext c is then sent 
to Bob over a normal channel that can be eavesdropped at will. It is well-known 
that this encryption method (called the one-time pad) does not leak information 
about m to an eavesdropper as long as k is unknown. This means that when- 
ever a new message m has to be sent secretly, Alice and Bob first use QKD in 
order to get a fresh secret key k that is used for encrypting m. The point here 
is that no classical method whatsoever can achieve this without relying upon 
some assumptions [42]. Classically, the security of secret-key exchange can be 
based upon a computing time limitation an attacker can spend in order to find 
the key [19]. However, it is very unlikely that one could prove that a secure 
classical cryptosystem would guarantee absolute security against eavesdroppers 
limited to spend only polynomial time. A proven security statement like this 
would imply that P NP. On the other hand, if secret-key distribution is im- 
plemented quantumly then security can be achieved under the only assumption 
that the basic axioms of quantum mechanics are correct. This offers advantages 
compared to the classical cryptosystems since the notion of security is indepen- 
dent of the model of computation. This is important since it is possible that all 
practical public-key cryptosystems are secure against attackers modelled by Tur- 
ing machines but not against attackers modelled by quantum Turing machines. 
As an example, RSA [39] and Diffie-Hellmann [19] cryptosystems are breakable 
by quantum attackers since the quantum computer can factorize and extract 
discrete logs in polynomial time [41]. 

The idea behind the Bennett-Brassard scheme for QKD [1,2] is that, any 
eavesdropper trying to get information by intercepting the communication on 
the quantum channel will be detected. This is because unknown quantum states 
cannot be observed without disturbing the state irreversibly. The disturbance 
can be detected by Alice and Bob by exchanging information over the public 
channel. The scheme ensures them that if they don’t find too many errors it 
is because no threatening eavesdropping occurred during the quantum trans- 
mission. The key they are going to agree on should therefore be secret. Several 
papers have been written about the security of the Bennett-Brassard scheme. In 
[2], the scheme was shown secure against an attacker performing the so called 
intercept-resend attack. Intercept-resend attacks are the ones where the attacker 
keeps the original particles and resends others according to the outcome of a 
complete test (complete tests will be defined in section 3.1). The security of the 
scheme was shown against much stronger but still limited attackers in [6] . Very 
recently, the proof of security has been extended to cover all possible cases sound 
with quantum mechanics axioms [35] . It follows that quantum mechanics allows 
to achieve one of the most important cryptographic task without any assump- 
tion. Moreover, experimental implementations have demonstrated that quantum 
cryptography is also practical [2,37,43,24]. 

What about the other protocol introduced by Bennett and Brassard in 1982 
[1]: Quantum coin tossing? A coin tossing protocol takes place between Alice and 
Bob and guarantees that a random bit r G {0, 1} is generated [7]. Even when 
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one party is dishonest the outcome of the coin toss is random. This means that 
no dishonest party can influence the outcome. Unlike the protocol for QKD, 
it was already known by the authors that the proposal could be broken by 
a dishonest party able to produce and manipulate entangled quantum states. 
Loosely speaking, an entangled quantum state is the state of several particles 
such that: 

— Observing one part of the system produces a random outcome and 

— once the outcome is known, the state or the rest of the system is also known. 

In other words, the state of each particle is correlated with the others. These 
states are rather diflicult to prepare and were out of reach back in 1982. Today 
however, the entanglement needed in order to break the scheme can easily be 
produced in laboratory. From the beginning, coin tossing already appeared more 
difficult to achieve than QKD whereas classically, coin tossing is easier than 
secret-key distribution [23]. 

The coin tossing protocol proposed by Bennett and Brassard was in fact im- 
plementing a more powerful primitive called bit commitment. A bit commitment 
scheme allows Alice to commit to the value of a bit in a way that prevents Bob 
to learn it but also in a way that prevents Alice from changing her mind. A coin 
tossing is easily achieved using a bit commitment scheme: 

— Alice commits on a random ta G {0, 1}, 

— Bob announces a random tb € {0,1}, 

— Alice unveils r^, 

~ Alice and Bob set r = 

The advantage of considering bit commitment is that it allows to prove knowl- 
edge of a statement without divulging it [10,20]. This kind of cryptographic task 
is important for solving natural cryptographic problems like identification, Zero- 
Knowledge proofs of Knowledge, etc... However there are tasks that even bit 
commitment cannot help to solve. 

An oblivious transfer is a protocol that allows Alice to send Bob x G (0, 1} 
in such a way that: 

— Bob receives x with probability ^ and knows it. When x is not received. Bob 
gets no information on x. 

— Alice has no information on whether or not Bob received x. 

Classically, it would be a major breakthrough if one could show that bit commit- 
ment and oblivious transfer can be based on the same computational assump- 
tions [23] . Oblivious transfer seems strictly more powerful than bit commitment 
in the classical world. It allows to build bit commitment quite easily but the op- 
posite will turn out to be true only if the existence of one-way functions implies 
the existence of trapdoor one-way functions. Coin tossing, bit commitment and 
oblivious transfer are all protocols involving two parties who want to cooperate 
while respecting their privacy. The most general task one can imagine in this 
model is the so called secure two-party computation (S2PC). A protocol for S2PC 
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is a generic protocol between Alice and Bob taking as input the description of 
a function / : {0, 1}^ x {0, 1}-^ — > {0, 1}^ and secret strings xa, xb € {0, 1}-^ 
for Alice and Bob respectively. The output is the value /{xatXb) that is made 
available to both parties. The protocol is secure if 

1. it computes the correct output and 

2. it leaks, to each player, no more information than /{xa, xb) about the input 
of the other party. 

Although S2PC seems quite general, an oblivious transfer is sufficient in order 
for a secure protocol to exists [26,18]. It follows that the most general primitive 
for solving any secure two-party computation is oblivious transfer. 

From the above, it is natural to ask if oblivious transfer can be implemented 
quantumly. A positive answer would allow to base almost all modern cryptogra- 
phy upon the correctness of quantum mechanics, that is upon the laws of physics 
as we observe them. Oblivious transfer can therefore be seem as the Holy Grail 
of quantum cryptography. 



1.1 Overview 

Basically, quantum mechanics allows to transmit information in a way that is 
similar to a transmission through a binary symmetric channel. Quantum mechan- 
ics, by virtue of the uncertainty principle, allows to encode information in such a 
way that the receiver cannot decode it all the time. Measuring an arbitrary quan- 
tum state destroys it and does not extract all the information. Measurements 
are therefore not repeatable so the uncertainty about the measured state always 
remains. This inherent noisiness is at the basis of all quantum protocols includ- 
ing the one for secret-key distribution. Noisy channels, at least some of them, are 
powerful cryptographic primitives since they allow to build secure protocols for 
oblivious transfer [16]. In 1991, Bennett, Brassard, Crepeau and Skubiszewska 
proposed a quantum protocol for oblivious transfer [.5]. Their protocol assume 
that Alice and Bob have access, as a black-box primitive, to a secure bit commit- 
ment scheme. Under this assumption, several results about the security of the 
scheme were shown [-5,15,36,46]. The result of Yao [46], showed that the scheme 
is secure according to the laws of quantum mechanics and given bit commitment 
as a black-box. The result showed that bit commitment is sufficient to build a 
quantum oblivious transfer whereas classically this seems impossible. 

There were reasons to be optimistic in 1995; the Holy Grail was in sight. 
Not for long though! In 1995, Mayers [32] broke the most serious candidate for 
quantum bit commitment [12] (although at that time it was even not considered 
as a candidate but as a genuine bit commitment scheme). Then, things got worse. 
In 1996, Mayers [33] and independently Lo and Ghau [27] have given a general 
attack that can be applied on general quantum protocols for bit commitment. 
Mayers’ construction [33,34] turns out to be so general that the existence of 
quantum bit commitment, with security relying merely upon the correctness of 
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quantum mechanics, was ruled out. Quantum bit commitment as its classical 
counterpart, needs extra assumption in order to be implemented. However, the 
classical and quantum assumptions can be of very different and independent 
nature [40]. It is of interest to have different sets of independent and realistic 
assumptions under which bit commitment and, more generally, oblivious transfer 
are possible. This allows to choose the model (classical or quantum) that suited 
the best the requirements of a particular application. 

This paper describe the main steps in the search for secure quantum oblivious 
transfer. We shall see how quantum mechanics principles help in implementing 
a flavour of noisy channel as a primitive. We describe how to use this primi- 
tive to implement oblivious transfer given a black-box for bit commitment. We 
then describe Mayers’ attack that breaks any quantum bit commitment. The 
description of the attack is a good starting point for getting accustomed to the 
weirdness of quantum information. It exhibits highly non classical behaviour 
and more importantly, it suggests how to look at quantum protocols in order 
not to over classicize their behaviour. It has been demonstrated many times, 
that thinking classically about the security of a quantum protocol can lead to 
false conclusions. 



1.2 Content 

In section 2, we introduce the mathematical concepts that are used throughout 
the paper. In section 3, we define quantum states and measurements using the 
standard physical representation. In section 4 we describe the standard way to 
encode obliviously classical information in quantum states. In section 5, we show 
how to reduce quantum oblivious transfer to the oblivious quantum encoding 
given a bit commitment scheme. In section 6 we describe Mayers’ attack against 
any quantum bit commitment scheme. We conclude in section 7. 



2 Mathematical Background 

Here, we introduce a suitable vector space for the representation of quantum 
objects. We then introduce the definitions and basic properties of linear operators 
relevant to our discussion. More complete information can be found in almost 
any book about the basic of linear algebra. 



2.1 Vectors and Vector Spaces 

In quantum mechanics, states, system evolutions and measurements are all rep- 
resented by objects in a complex vector space. An appropriate vector space is 
called Hilbert space which is, for our purposes, not different from the complex 
vector space with the scalar or inner product defined. In the following we denote 
by a* the complex conjugate of any number a £ C. Let u = (ui, . . . ,Un),'v = 



188 



L. Sal vail 



(vi, be two arbitrary vectors which belong in the same arbitrary 

Hilbert space 7i. The inner product (u,v) € C between u and v is defined as 

n 

(u,v) = J2u*Vi. 

From the inner product (or scalar product) we define the norm (or length) 
||v|| of vector v G TChy |jv|p = (v, v) € R. Two vectors v and w are orthogonal 
if (u,v) = 0. We say that a vector is normalized if its norm is 1. As usual, any 
vector V G TL can be written as a linear combination of an infinite number of 
possible basis. In the following, Tin stands for the n-dimensional Hilbert space. A 
basis E = {ei, . . . , e„} for Tin is said to be orthonormal if for all 1 < z yf j < n, 
we have that {ei,ej) = 0 and ||ei|| = 1. 



2.2 Dirac’s Notation 

A very popular notation for vectors and operators in an Hilbert space is the 
Dirac’s notation. In Dirac’s notation, vectors representing states are denoted by 
a ket. For any vector v = (t;i, . . . ,Vm) & Td, we write the state of a quantum 
attribute by |v). One can see |v) as the column vector: 

f 



\ '^m / 

The ket notation allows to simplify expressions. In particular, it is often con- 
venient to drop the description of vector v using only symbolic notations. One 
possible orthonormal basis for Ti 2 is + = {(1, 0), (0, 1)}. Basis + is called the 
standard or computational or rectilinear basis. The orthonormal vectors for the 
standard basis are + = {| 0 ),| 1 )} = {|0 >+,| l ) + }- Another important orthonor- 
mal basis in H 2 is the diagonal basis X = (^, -^) = {|0)x, |l)x}- 

Together with the ket comes the bra notation. If v = (?;i, . . . , Vm) G Tim then 
the bra of v is noted (v| and is defined as (v| = (z;)" , , . . . , v^). 

Bras and kets can be combined in order to denote operations. For u = 
(ui,... = {vi,... ,Vm) G Tim we have that (v|u) = is the 

inner product between u and v. Another operation sometime called the dyadic 
is denoted by |u)(v| and is such that 



|u)(v| 



( Uiv{ U1V2 ■ ■ ■ UiV*^ \ 
U2V{ U 2 V 2 ■ ■ ■ U2Vm 



\UmVl UmV2 ■ ■ ■ UmVm / 



For any v G Tim, |v)(v| is a matrix V = such that for all z yf j we 

have Vij = and va G R. In the following and except when stated otherwise we 
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shall use vectors with only real components. In this case, the bra and the ket of 
vector V have the same components, the first one being v as a row vector and the 
later being v as a column vector. The inner product between u = (iti, . . . , Um) € 
R™ and v = (ui, . . . , Vm) G R™ is simply ^ mvi. 



2.3 Unitary Evolution 



We shall see in next section that vectors in a Hilbert space represent quantum 
states. The possible evolution of a quantum state can always be described by 
a unitary transformation. We say that a transformation in a m-dimensional 
Hilbert space is unitary if it can be written as a bijective mapping between 
two orthonormal bases. The following transformation is unitary and acts in a 
2-dimensional Hilbert space: 

i?:|0)-^(|0> + |l)) 

| 1 )^^(| 0 )-| 1 )) 

Any unitary transformation acting in a m-dimensional Hilbert space can easily 
be written as a m x m matrix. We only have to label each column and each row 
by one vector of the basis E = {ei, . . . ,6^} we start with. The matrix entry 
labelled (ei,ej) contains the complex number that appears in front of vector 
Gj when the input state is e^. For example, the matrix form for H is: 





| 0 ) | 1 ) 


| 0 ) 


1 -1 


V2 


111 


1 1 


1 -*-/ 


s/2 s/2 



1 

V2 




In the following we will also use the sign shift operator S acting on vectors in 
Ti .2 and defined as 



s-.\0)^ |0) 

For any vector v = (vi,V 2 ) € TI 2 , S applied on v produces the vector v' = 
{vi, — U 2 ). The matrix representation of S is 



S = 



1 0 



0 -1 



Any unitary transformation U has an inverse U~^ = W where W is the trans- 
posed conjugate of U (also called the Hermitian conjugate). One important prop- 
erty of unitary transforms is that they always preserved the inner product namely 
(i.e. for all u,v G we have that (u|v) = ([/u|[/v)). 

Throughout this paper, we shall denote operators by capital letters. When 
we write A G 7i, we mean that A is an operator acting on vectors in 7i. 
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2.4 Relevant Operators 

A special case of operators, called Hermitians, will be useful in order to define 
what is a measurement of a quantum state. An operator A € is Hermitian if 
when A is expressed by n x n matrix we have that 

1. for all i € ,n} the element an € K.. This means that all principal 

diagonal elements are real. 

2. for all i ^ j, a^j = a*^. 

An Hermitian operator A is always such that A = A^ . When A contains only 
real elements, then A is Hermitian if and only if A is symmetric. Projections are 
special cases of Hermitian operators: 

Definition 1. An Hermitian operator P that satisfies P = PP is called a pro- 
jection. 

The condition P = PP translates what we intuitively consider a projection, 
namely that a projection does not transform vectors that are parallel to the rays 
on which it projects. One can show that A is Hermitian in Tim if and only if it 
can be written for some I < m as, 



i 

A = ^ ttiPi 
2=1 



( 1 ) 



where the Pi’s are projection operators projecting on mutually orthogonal rays. 
We say that v is an eigenvector with eigenvalue a € C if A is such that av = Av. 
The zero vector 0 is not an eigenvector but a = 0 is a possible eigenvalue. The set 
Ea = is the set of eigenvalues of A and the decomposition appearing in 

equation 1 is called the spectral decomposition of A. If ffEA = m then the spec- 
tral decomposition is unique and all projections are into orthogonal subspaces of 
dimension 1 (i.e. they project on rays). One can verify that all Hermitian oper- 
ators have only real eigenvalues. The following projection operators are relevant 
to our discussion: 



Po = 





1 

2 




In the above, projection Pq, for a G {0, f, j, is the projection on the ray 
(i.e. one dimensional subspace) at angle a with vector (1,0). The projection 
operator Pv on the ray parallel to the normalized vector v G is Pv = |v)(v|. 
For instance, the above projections Pq = |0)(0|i P- = |0)x(0|, Pn = |1)(1|, and 
P^ = |l)x(l|. 

The trace Tr(A) of an operator A G 7i, is the sum of its principal diagonal 
elements. More formally, we write 

Tr(A) = ^(e|Ae) (2) 

eSE 

for any basis E for 7i. It is easy to verify that any projection P is such that 
Tr(P) = 1. The trace has the following properties: 
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1. Tr(A + B)= Tr(A) + Tr{B), 

2. Tr(cA) = cTr{A) for c € C and 

3. Tr{AB) = Tr{BA). 



It follows from equation 1 that if A has eigenvalues Ea then 



Tr(^) = ^ aTr(P„) = ^ a. 



(3) 



aG-E-A 



ci^Ea 



We shall see in section 3.4 that general quantum states are modelled by a special 
class of operators characterized by their traces: 

Definition 2. An operator D is a density operator if Tr{D) = 1. 

2.5 Space Extension 

Two Hilbert spaces Hi and H2 can be merged together in order to get a larger 
one H containing both of them. Let mi and m2 the dimension of Hi and H2 
and let E = {ei, . . . , e^i} and F = {fi, . . . , f^a} be orthonormal bases for Hi 
and H2 respectively. We define the tensor product operation “0” that allows, 
given E and F, to get a new orthonormal basis H for the mim2 dimensional 
Hilbert space H = Hi ®H2- The tensor product is dyadic operation acting upon 
vectors. If vector e = (ei, . . . , Cmi) and f = (/i, . . . , /m2) then we define: 



It is now possible to define H = Hi® H2 ss the Hilbert space generated by 
the orthonormal basis H = {ei 0 fi,ei 0 £2, . . . ,6^1 0 fmal- The tensor prod- 
uct operation can also be generalized in order to deal with operators as well. 
Assume A is an operator in the mi dimensional Hilbert space Hi and A' is an 
operator in the m2 dimensional Hilbert space H2- Assume A = {aij}i<ij<rni 
and Al = {aA}i<ij<m2 are expressed as mi x mi and m2 x m2 squares matrices 
respectively. The composite operator A 0 A' € 7fi 0 7^2 is defined as 



/ ei/i \ 

61/2 



e 0 f 



ei/, 



(4) 



62/1 




( ttiiA' Oi 2A' ... OimiA' \ 

02iA' tt22A' ... a2miA' 

A 0 A' = 



y^milA nmi 2 A 
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3 Quantum States 

In quantum cryptography, classical information is encoded in the state of a 
quantum system. In this section, we describe what is meant by a quantum state. 
We shall define pure states as a special case of all quantum states. Complete 
measurements of quantum states are also discussed. Finally, we introduce the 
most general quantum states allowed by the theory: quantum mixture. 



3.1 Maximal Tests 

Before giving the definition of a quantum state, it is convenient to introduce 
maximal quantum tests [38]. Suppose you want to observe the property of a 
quantum system that can possibly take N different values. If the test you devise 
allows to distinguish between all N possibilities, we say that it is a maximal 
quantum test. A Woutcome measurement of this property implements a maximal 
quantum test. A test that gives only partial information about the measured 
property is said to be a partial test. 



3.2 Pure States 

If a quantum system is prepared in such a way that one can devise a maximal 
quantum test that yields with certainty a particular outcome then we say that 
the quantum system is in pure state. It follows that measuring several times a 
pure state yields always the same outcome [38]. 

In quantum mechanics, pure states are described by normalized vectors in 
some Hilbert space. If the maximal test for a pure state has n possible outcomes 
then the state is described by a vector \cj)) € The polarization state of a 
photon is the usual way to encode information in quantum cryptography. Pure 
states for the polarization of a photon can be tested by a 2-outcome maximal test. 
It follows that the polarization state (i.e. here we drop the word pure adopting 
the convention that unless stated otherwise a state is pure) is described by a 
normalized vector in H 2 . As an example, ]0), jl), -^(jO) -|- jl)) = H\0) and 
jo) -I- jl)) = H\l) are all possible states for the polarization of a photon. 
The pure state jO)x = "^(10)+ + |l)-i-) is said to be in superposition of pure 
states ]0)_|_ and ]1) + . 

It is easy to verify that the tensor product operation \cj>) 0 j^') for (j) £ Ti. 
and (j)' G H' preserves the purity of the two quantum states \cj>) and \4>'). That 
means that whenever \cj)) G H and \cf>') G TC are brought together then the new 
composite system remains in pure state. This must be the case since the maximal 
test in Ti for j^) followed by the maximal test in TC for \(j)') defined one maximal 
test inTL^TC for ]</)) 0 ]</>'). 

The time evolution of a pure state (and also for mixture as defined in section 
3.4) is always unitary and any unitary transformation is a possible evolution of 
a quantum state. Let U G 7^2' be any unitary transformation acting on vectors 
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in Hilbert space H 21 ~ ®i=i ^2- Let E = {ei,e2 , ... ,62 ;} be a basis for 
and let \(j)) S 7^2' be any pure state in 7^2'- We have that 

2‘ 2‘ 

U\4>) = U^Uj\ej) ^^ajU\ej) 

1=1 1=1 

for Uj G C and \aj\^ = 1. This means that U is in fact applied simultaneously 
to each element appearing in the superposition \(j)). This kind of parallel com- 
putation is very important for speeding up classical algorithms using quantum 
phenomena. As we shall see in section 6, it has also important consequences in 
cryptography. 

3.3 Complete Measurements 

We have seen that pure states are quantum states for which there exists a max- 
imal test giving a predictable outcome (thus repeatable) . Measurements are im- 
plementations of the testing procedures. Quantum mechanics define complete 
measurements as measurements implementing a maximal test for some quan- 
tum states. Formally, 

Definition 3. A complete or Von Neumann measurement of a quantum state in 
Tin is described by an Hermitian operator M G 7f„ with n distinct eigenvalues 
Em = {oi,... ,Q.n}. Each eigenvalue a G Em is a possible outcome for the 
measurement. 

From definition 3, the outcomes of a complete measurement M are in one to 
one correspondence with the set of orthogonal projections Pm appearing in M’s 
spectral decomposition, since the decomposition is unique when all eigenvalues 
are distinct. Let Pa G Pm be the projection associated with eigenvalue a G Em- 
It is always possible to write Pa = |V’o)('0o| for a normalized vector \tjja) that is 
an eigenvector of M. Definition 3 does not describe the behaviour of complete 
measurements but just the way they are modelled. In order to understand what 
is a complete measurement, we have to specify what is the probability to observe 
the outcome corresponding to any eigenvalues in Em and what happens to the 
system once the outcome has been observed. This is where quantum measure- 
ments and consequently quantum states differ from the classical ones. When a 
system <P in quantum state \4>) G 7f„ is measured by a complete measurement 
M, the following is always satisfied: 

— The outcome corresponding to a G Em is obtained with probability p,p{a) = 

— If a G Em is the outcome then the state of after the measurement is \tfa)- 

Any normalized vector \(j)) G Tin can be tested maximally by a complete mea- 
surement M having projection Pa = in its spectral decomposition. The 

outcome of M applied upon \<j)) is predictable since the eigenvalue a satisfies 
P(f,{a) = {<j)\Pa\(t)) = {(j)\(l)) {<j)\4>) = 1. It is always possible to find such an M so 
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that normalized vectors really describe pure states. Since projections and nor- 
malized vectors are in one to one correspondence, one can describe a pure state 
by a projection as well. It follows that a pure state \(j)) can always be written as 
the projection operator = |t!>)((/>|. From definition 2 and equation 1 we have 
that any pure state is represented by a density operator but not all density 
operators represent pure states, as we shall see in next section. 

We have seen that complete measurements in are modelled by Hermitian 
operators M € having n distinct eigenvalues. The set of eigenvectors Em 
for M defines a basis for 7i„. It follows that a complete measurement can also 
be described by a orthonormal basis F for where each v € F is a possible 
outcome of M . Another equivalent way to specify a complete measurement is 
a set of the n orthogonal projections Pm in 'Hn appearing in M’s spectral 
decomposition. Each projection P G Pm is one of the possible orthogonal rays 
on which M projects the initial state. Using this representation of complete 
measurements, the following two complete measurements 

M+ = {Po,IPf } and Mx = {Pi,P^} 
will be used extensively in the following. 



3.4 Mixed States 

Suppose an observer is sitting next to a source of photons S. The dynamic of S is 
such that with probability ^ a photon in state |0) is sent and with probability ^ a 
photon in state |1) is sent. The behaviour of S can be described by a probability 
distribution T>s = {(^, |0)),(i, |1))} over pure states in 7^2. Clearly, the next 
photon 7T that is going to be transmitted by S is not in pure state since no 
complete measurement can be defined such that the outcome will be predictable 
by the observer. To verify this, observe that if M represents a maximal test on 
T>s then we have that P|o)(ao) = P|i)(ai) = 1 where ao yf ai are two eigenvalues 
of M. Let p(ao) and p{ai) be the probability to observe ao and a\ respectively 
when the next photon transmitted by S is measured. We have that 

P(ao) = ^P|o)(ao) = ^P\i){ai) = p{ai) = 

We conclude that no implementation of a maximal test is predictable when 
applied on the next particle produced by S. The quantum state transmitted by 
S is therefore not in pure state. 

Definition 4. A quantum mixture is a probability distribution over pure states 
in some Hilbert space TL. Moreover, any quantum state is a quantum mixture. 
In general we say that a quantum system is in a mixed state if it is not in pure 
state. 

Definition 4 does not say how a measurement behave when a mixed state is 
observed. Let T> = {{pi, be an arbitrary quantum mixture in Hilbert 
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space H. We define the operator px> as 

i 

PT> = ^Pzh){Si\. (5) 

By definition, pp is a density operator since each |si)(si| has trace 1. Equation 
5 reminds us of the spectral decomposition except for the pure states |si)’s that 
are not necessarily orthogonal. Since p-p is Hermitian, it is always possible to 
write 



I m 

px> = X] I®*) I = X] 

i=l i=l 

where for all i yf j, Pi and Pj are orthogonal and Pi = 1- consequence 
of equation 6 is that two different mixtures P and P' may share the same density 
matrix. Let Pg; = |si)(si| be the projection operator associated with the pure 
state |si). We have that 



I m 

Pv = '^PiPsi = '^PiPi = pv 

i=l i=l 

where P' = {{pi, Pi)}^i. The physical interpretation is that several and different 
physical preparations can produce the same physical state. 

If we return to our interpretation of a quantum mixture as a probability dis- 
tribution over pure states, it becomes clear how behave a complete measurement 
on it. Each time an observer performs a measurement on a quantum mixture 
P, the measurement is applied on a random pure state \4>) G H picked accord- 
ing to P. Let pp be the density operator for mixture P = {(pi, |si))}i. Let 
M = aiPi € be a complete measurement with outcomes (or eigenvalues) 
Em = {ai}i and such that all Pi’s are orthogonal. The behaviour of M when 
applied upon P satisfies the following: 

— The probability pti{o) that the complete measurement M gives the outcome 
n G Em is 



PX>(«) = X P{s\Pa\s) =Pr{PaPv) (7) 

(p,|s))Gl> 

where Pa is the projection associated to the eigenvalue a in the spectral 
decomposition of M. 

— After the outcome a has been observed, the state of the system becomes in 
pure state Pa- 

Since the statistics of a measurement are completely specified by the density 
operator pp, it follows that two mixtures P and P' having the same density 
operator pp behave the same when they are measured. We conclude that two 
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mixtures sharing the same density operator are indistinguishable by any physical 
process. 

As an example, consider the mixture T> produces by the source S and the 
new mixture V = {(i, |0)),(i, |1)), (|, |0)x), {j, |l)x)} produces by the source 
S'. One can verify that 

P^, = i(|0)(0| + |l)(l| + |0)x(0| + |l)x(l|) 




It follows that no physical process can distinguish between sources S and S'. 
These two preparation methods are equivalent. 

In the following we sometime denote quantum systems in TL 2 by qubits. As we 
have seen, a qubit cannot store more than 1 classical bit of information since any 
complete test on it has only two possible outcomes. This explains the analogy 
between “qubits” and “bits”. 

Henceforth, we shall write p S 7i, for a density operator p, if it acts on vectors 
in Ti. 



4 Oblivious Encoding of Information 

In this section we shall see that the indistinguishability between quantum mixed 
states sharing the same density matrix leads to an encoding of classical informa- 
tion that cannot be recovered with 100% reliability by the receiver. This kind 
of encoding scheme is relevant to cryptography since it allows to perform non 
trivial cryptographic tasks. For instance consider the classical binary symmetric 
channel (BSC) that allows to send bits with error probability 0 < e < ^. The 
transmission of a classical bit through a BSC does not disclose all information 
to the receiver since the communication is noisy. The sender does not have all 
the information neither since (s)he does not know whether the receiver got the 
bit or its complement. Crepeau and Kilian [16] have shown that a BSC allows to 
build a secure oblivious transfer protocol and thus provides all the power needed 
for secure two-party computation. Noisy channels can also be used to imple- 
ment secure secret-key distribution protocols as, for example, Wyner’s wire-tap 
channel [45] or Maurer’s secret-key agreement from common information [30]. 
This oblivious encoding of information is what we would like to achieve based 
on quantum mechanics. It would allow to see the quantum channel like a noisy 
channel thus providing the power needed for secure two-party computation. 
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4.1 The BB84 Coding Scheme 

The BB84 coding scheme has been introduced by Bennett and Brassard [1] in 
order to achieve quantum secret-key distribution. As we shall see, the coding 
scheme can also be used in order to implement a wide variety of cryptographic 
tasks using the same quantum transmission procedure. The coding implements 
some kind of noisy transfer of a classical bit. 

The idea behind the BB84 coding scheme is that classical bits 0 and 1 are 
encoded by non-orthogonal states and therefore cannot be distinguished perfectly 
by any measurement. For, we define the two following basis in 

— The rectilinear basis + = {|0) + , |1)+} 

~ The diagonal basis X = {|0)x, |l)x}- 

Each vector in the rectilinear and diagonal basis will be the encoding of a classical 
bit. The following quantum transmission scheme is the main tool used in almost 
all quantum protocols. It is the standard quantum transmission between a sender 
S and a receiver TZ: 



BB84 Quantum Transmission 

1. S picks a random b {0, 1} and a random 6 {+, x}, 

2. TZ picks a random 9 Gr x}, 

3. S sends a photon tt in quantum state |6)a through the quantum channel, 

4. TZ measures tt with the complete measurement and records the outcome 

^ f 0 if |0)^ is observed, 

1 1 if |1)^ is observed. 



One BB84 quantum transmission produces a photon tt with polarization in 
mixed state T>bb 84 = {(|, |0)+), (i, |1) + ), (i, |0)x), (|, |l)x)}- From equation 
6, the mixture T>bbs 4 is described by the density operator 

PBB84 = \ (|0) + (0| + |1) + (1| + |0)x(0| + |l)x(l|) 




On the receiving end, TZ measures tt either with the complete measurement M+ 
or with Mx, each being chosen with probability For any 9 G {+, x} the 
Hermitian operator with eigenvalues = {0,1} can be written as 



M+ =Po = |0) + (0| 




and Mx 



|0)x(0| 




Suppose S sends tt in state |0) (i.e. when S chooses b = 0 and 9 = +) and TZ 
measures in basis 9 = +. The probability p+(0) that TZ gets the outcome 0 thus 
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setting 6 = 0 = & is 



p+{0) = (0|Po|0) = (0| “ j |0) = (0|0) = 1. (8) 

If TZ would have chosen measurement Mx instead then the probability px (0) for 
TZ to decode correctly would be 



Px(0) = (0|P.|0) = {0\(j_iyo) = (0|(i i)) = i (9) 

Equations 8 and 9 show the property of obliviousness of the BB84 quantum 
transmission. If TZ chooses 9 = 0 then the decoded bit 6 = 6 with probability 1. 
However, if TZ chooses 9^9 then the decoded bit b is completely random. The 
BB84 coding scheme is symmetric and behaves the same way if the basis 0 is X 
instead of + and if the bit 6 = 1 instead of 0. It follows that the probability Ps 
that 6 = 6 is 

p, = p(0 = 0)+ip(0^0) = 1 (10) 

From equation 10 we conclude that if S and TZ follow the protocol honestly then 
the BB84 quantum transmission implements a BSC with error probability 



4.2 BB84 Is Oblivious 

We now look at what happens when one party involved in a BB84 quantum 
transmission does not behave according the rules. We shall see what advantage 
a dishonest receiver TZ* gets by choosing complete measurements different from 
M+ and Mx . 

The goal for TZ* is to figure out the bit 6 with better probability than |. In 
other words, TZ* is looking for a complete measurement that allows to distinguish 
between Vq = {(i, |0)+), (i, |0)x )} and = {(|, |1)+), (^, |l)x)} more accu- 
rately than measurements M+ and Mx . Let po and p\ be the density operators 
for T>o and T>i respectively. We have that 

00 = ^ ^ and Pi = ^ ^ ^ (11) 

Using equation 7, one can verify that 

= P (6 ^ 6) = i (Tr(Popo) + Tr(P.po) + Tr(P.pi) + Tr(P^pi)) = | 

Let Mb = {P| , Pstt } be the complete measurement with possible outcomes Pz. = 
|bo)(bo| and P^ = I 2 — Pf = |bi)(bi| where bo = (cos|,sin^) and bi = 
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(— sin f , cos J). Assume TZ* measures tt with Mb and let Ps{b) be the probability 



b when pg is sent. We have that 




Ps{0) = Tr(P-po) = cos^ ^ 


(12) 


Ps(l) = Tr(P^pi) = cos^ 


(13) 



Equations 12 and 13 show that if TZ* wants to maximize its information about 
b, he has advantage to apply measurement Mb on tt. In this case, the probability 
to decode b correctly is about 85% instead of | when M_|. or Mx is applied. We 
can show that Mb is in fact the measurement that maximizes the probability to 
decode b correctly. The spectral decomposition of density operators po and pi 
is, 

po = cos^ ^|bo)(bo| + sin^ ^|bi)(bi| and pi=sin^ ^|bo)(bo| + cos^ ^ |bi) (bi |. 
o o o o 

This means that T>o = {(cos^ J, |bo)), (sin^ J, |bi))} and T>i = 
{(sin^ |bo)), (cos^ |bi))}. Therefore, sending b using the BB84 coding 

scheme behaves like if it was sent through a BSC with error probability sin^ |- 
whatever measurement TZ performs. It follows that the quantum state pt for 
any b G {0, 1} does not carry more information than H(cos^ f ,sin^ about b. 
The BB84 coding scheme is therefore inherently oblivious. 

The BB84 coding scheme hides completely S’s basis 0 e {+, x}. To see this, 
consider the mixed state T>e corresponding to a photon tt polarized in basis 0. 
We have that T>g = {(i, |0)g), (i, |l)e)}. Let and px be the density operators 
corresponding to and T>x respectively. One can easily verify that, 

p+ = i(|o)+(o| + |i)+(i|) 

= i(|o)x(o| + |i)x(i|) 

= Px- 

This implies that, given a BB84 photon tt, it is impossible to figure out what 
basis 0 has been used by S. This holds for any quantum measurement TZ could 
perform on tt. The basis 0 is perfectly concealed by the BB84 coding scheme. 

4.3 BB84 as a Quantum Primitive 

The BB84 coding scheme is the quantum ingredient of most quantum protocols 
[1,2,12,17]. The difference between all these protocols is the classical communi- 
cation taking place after the quantum transmission. The BB84 coding scheme 
is a kind of universal cryptographic primitive. Typically, a quantum protocol 
requires many BB84 transmissions upon which the classical part of the protocol 
is based. The parties involved in the classical part communicate only via the 
public channel. The classical phase is very often the only task dependent part 
of a quantum protocol. 
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In the following, we write {{b,6),{b,9)) ^ BB84at to denote N inde- 
pendent BB84 quantum transmissions of photons 7 Ti, 7 r 2 ,... jT^n- S’s random 
bits are b = 6 i, 62 , • ■ ■ , and the N choices for the polarization bases are 
9 = 9i,92, ■ ■ ■ ,9n G {+, x}^. The N particles 7 Ti, 7 r 2 ,... .ttn that are sent 
through the quantum channel are therefore in composite state 0 |^ 2 )e 2 ® 

■ • ■ 0 |^Af) 6 »jv S ^ 2 '^- Oa each received particle TZ performs the measurement 
Mg for G {+, x} providing the outcome bi. 

5 From BB84 to Quantum Oblivious Transfer 

The BB84 coding scheme shows similarities with the description of an oblivious 
transfer. In BB84, the receiver gets the bit b with probability ^ (i.e. when 9 = 9). 
The only difference between a BB84 transmission and an oblivious transfer is 
that in the BB84 case, TZ does not know if he receives the bit or not. 

One way to tell TZ whether or not he gets 6 , would be for S to announce 
the basis 9 used to transmit b. If the receiver finds out that 9 = 9 then b = b. 
Otherwise, the bit received b is not correlated with the bit sent. However, this 
method allows TZ to cheat and receive b = b all the time! TZ just stores the photon 
he receives and waits (without disturbing it) for S to announce 9. Once TZ knows 
0, he measures the photon with measurement thus recovering b perfectly. One 
way to overcome this problem would be to require TZ to commit on 9 and b before 
S announces 9. With probability k > 0, 5 asks TZ to open the commitment. S 
then verifies that whenever 9 = 9 TZ obtained the outcome b = b. If it is not the 
case then S stops the execution. With probability 1 — k, 5 announces 9 allowing 
TZ to find out if he receives b. We have made a step forward but the method 
does not implement an oblivious transfer yet. TZ has still a probability 1 — k 
not to be asked to open the commitment. This allows him to take a chance and 
to commit on random values allowing him not to measure the received particle. 
The probability of not being caught remains better than 1 — k (i.e. in fact the 
probability of being caught is |). 

The above construction is the idea behind the quantum oblivious transfer 
protocol of Bennett, Brassard, Crepeau and Skuwbiszewska [5] called the BBCS 
protocol. Below, we present a slight modification of the BBCS protocol allowing 
Alice to send to Bob the bit x by oblivious transfer. N BB84 transmissions 
are performed out of which about one half have been received perfectly. One 
subset Sc, for c G {0,1}, contains the positions i such that 9i = 9i whilst the 
set S'l-c contains the positions i such that 9i yf 9i. The two sets Sq and 
are announced to Alice without telling her the bit c. Alice encodes the bit x she 
wants to transmit by OT using the bits in positions in Sq for a random q G {0, 1}. 
The encoding allows Bob to recover x if and only \i q = c which happens with 
probability exactly ^ . The protocol needs a bit commitment scheme in order to 
be implemented securely. Let us assume that BC(w), for w G (0, 1}, is a secure 
commitment of bit w. 



The Search for the Holy Grail in Quantum Cryptography 201 



BBCS QOT Scheme(a;) 

1. Alice and Bob execute {{b,9), (b,0)) <— BB84iv where Alice is 5 and Bob is TZ, 

2. Bob sends to Alice the commitments {(BC(fei), BC(^i))}^i, 

3. Alice selects a random subset of positions I C {1, . . . , A^} that she announces to 
Bob, 

4. Bob opens {(BC(6i), BC(0i))}ig/ allowing Alice to verify that for alH € 7 such that 
Oi = 6i it is the case that bi = bi. If Alice hnds errors she stops the execution else 
let J = {1, . . . , N} \ 7 be the set of untested positions, 

5. Alice announces 9j = {9i\i € J}, Bob picks a random c € {0, 1} and sets Sc = 
{i€ JI9i = 9i},Si-c = J\Sc, 

6. Bob announces (So, Si) to Alice (he keeps c secret), 

7. Alice picks q &R {0, 1} and announces q together with r = x (B bi to Bob, 

8. If (jr = c then Bob computes x = r ® 0ieSc ® ©. ■ bi else Bob does not 

receive x. 



The security of the scheme is based upon the inability for Bob to decode reliably 
the bi’s for all transmissions. Intuitively, the commitments ensure Alice that 
Bob measured completely the particles he received before she announces 6 = 
01, . . . , 01V. Therefore, it should be the case that there exists a z S {0, 1} such 
that the subset of positions Sz satisfies 

ViGS^ iGSz / 

for some a > 0. If Bob follows the protocol then for each photon tti we have that 
Oi yf Oi with probability i. We have seen that in this case, P = 6i|0i yf 0i^ = 

i. It follows that there exists z € {0, 1} such that S Sz\0i yf 0i} > 
for any /r > 0 as long as N is large enough. In that case, the bit 0^g5 bi cannot 
be approximated by Bob. Since Alice encodes x in the XOR of all bits in Sq, for 
a random q G {0,1}, with probability ^ we have that q = z and Bob is unable 
to obtain information about x. 



5.1 Security and Generalized Measurements 

In this section we quickly review what is known about the security of the BBCS 
protocol against dishonest parties that would take advantage of more elaborate 
quantum processes. Complete measurements as described in section 3.3, are not 
the only way an attacker can try to get extra information. Quantum mechanics 
allows generalized measurements to be performed. General measurements can 
extract information from a quantum state in such a way that the disturbance 
caused by the measurement process is minimized. In particular, if one is willing 
to get less information than what is achievable through a complete measurement, 
then a generalized measurement (also incomplete) of the the original quantum 
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state can be done with no complete destruction of the initial state. One example 
of an incomplete measurement is the measurement that does nothing. This is 
formally written as the identity operator 1 which has only one eigenvalue a = 1 
and therefore is not a complete measurement (of course!). In general, incomplete 
measurements are modelled by Hermitian operators with fewer distinct eigenval- 
ues than the dimension of the Hilbert space in which they operate. They cannot 
give more information than complete measurements do but can nevertheless be 
completed later in order to get a complete measurement. For example, it is al- 
ways possible to apply the useless measurement 1 on a quantum state \4>) and 
later measures the untouched state \(f)) with a complete measurement. The re- 
sult is simply the same as if \(j)) would have been measured completely the first 
time. Or is it? One can see that even the useless measurement 1 allows to break 
BBCS if no commitment was used. An incomplete measurement that gives in- 
formation about the observed state \<f>) must destroy a part of the initial state. 
In general, more distinct eigenvalues your measurement has, more destructive it 
is (an example of a non-trivial incomplete measurement is given in section 6.4). 
Incomplete measurements can be useful to an attacker involved in a quantum 
protocol (as we have seen with BBCS using no commitment). The reason is that 
between the time the attacker performs the incomplete measurement and the 
time the measurement is completed, some extra information is obtained (i.e. the 
bases 9 in the case of BBCS). With this extra information, the completion of 
the measurement can be chosen more cleverly than before whilst giving more 
information than if a complete measurement would have been chosen regardless 
of the extra information. 

We can already verify that Alice has no way to learn whether or not the 
bit X has been received by Bob, as long as the commitments are concealing. 
This, because Bob chooses randomly how to measure each photon and never 
gives information that would allow Alice to figure out what measurements were 
performed (if the commitments were not concealing Alice could easily find out!). 
Therefore, given S'o and S\, Alice has no information about c G {0, 1} such that 
Sc contains the positions i where 9i = 6i. It follows that no matter what Alice 
tries, it is always the case that P (g = c) = ^. Only Bob could cheat the protocol 
by measuring photons tti, . . . , ttjv using measurements of its choice. 

If we make the extra assumption that Bob only performs complete measure- 
ments then the security of the scheme can be shown. To see how, assume that 
Bob returns a commitment BC(0, b) with the property that \i 9 = 6 then b = b 
with probability 1. It follows that Bob’s measurement is the complete measure- 
ment Mg. Clearly, Bob cannot get b more than half the time even once he gets 
to know 9 since after Mg has been performed, the state of the original photon is 
irreversibly destroyed. Another strategy for Bob would be to return a commit- 
ment that has a small but nonzero probability of being caught (i.e. 9 = 9 but 
6 yf 6) by applying complete measurements different than M+ and Mx. This 
strategy does not help Bob in increasing its chance to receive the bit x as shown 
in [15]. 
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In [36] , Bob was allowed to perform generalized measurements on single BB84 
qubits. These measurements are strictly more powerful than complete measure- 
ments but were shown not to allow Bob to cheat the protocol neither. The final 
piece was provided by Yao [46] who showed that, given a perfectly secure bit 
commitment scheme, QOT is secure against any strategy allowed by quantum 
mechanics. The BBCS scheme can also be modified to deal with imperfect ap- 
paratus whilst remaining secure. 

5.2 Classical vs. Quantum Cryptography 

Yao’s proof of security for the BBCS scheme holds relative to the existence of a 
secure bit commitment scheme. It follows that the scheme described above does 
not provide security for free (as it is for quantum key distribution) but rather, 
reduce the security of QOT to the security of bit commitment. Nevertheless, 
we achieved something classical cryptography does not: secure oblivious transfer 
based on bit commitment. Classically, bit commitment can be built from any 
one-way function but oblivious transfer requires trapdoor one-way functions. It 
is very unlikely that one can find a proof that one-way functions and trapdoor 
one-way functions are in fact the same thing [23] . In the classical world, bit com- 
mitment is a weaker primitive than oblivious transfer. On the other hand, Yao’s 
proof has shown that quantumly, oblivious transfer is reducible to bit commit- 
ment. It follows that oblivious transfer can be based on a weaker assumption in 
the quantum world (i.e. the existence of one-way functions) than in the classical 
world. 

6 Quantum Bit Commitment 

The next important question is whether or not QOT can be shown secure under 
the only assumption that quantum mechanics is correct. This would allow to 
base any secure two-party computation upon the same principles than quantum 
key distribution [31,35,6]. The first attempt to find a secure quantum bit com- 
mitment scheme is as old as the first protocol for quantum key distribution [1]. 
This first scheme was known to be insecure but it was believed that a secure one 
could be found. Several attempts were made in order to fix the original scheme 
[11,12]. The last one was even claimed to be unbreakable [12]. Unfortunately, 
two years later Mayers found a subtle flaw in the last proposal [32]. Afterward, 
Mayers realized that the flaw he found was not only due to the particular broken 
protocol but could be applied to a large class of quantum protocol for bit com- 
mitment [33]. This has also been observed independently by Lo and Chau [27]. 
It is now known that no quantum bit commitment exists with security based 
only on the correctness of quantum mechanics axioms [33,34]. 

In this section, we shall look at the general idea behind Mayers’ proof and 
see why quantum mechanics completely forbids the existence of bit commitment. 
Apart from being used in the proof of [33] , concepts introduce here are of inde- 
pendent interest. In particular, they show the striking difference between classical 
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and quantum information. Quantum information will appear much more elusive 
than its classical counterpart. 

6.1 Purification 

In this section we shall discuss the main tool needed in order to prove Mayers’ 
theorem. It is shown how a quantum mixture can be embedded in a pure state. 
This process is called purification of a mixed state. 

We start by considering an example taken from the BB84 coding scheme. Let 
BB84(0) be the possible BB84 transmissions of classical bit 6 = 0: 

BB84(0) 

1. S picks a random 6 { + , x}, 

2. S sends a photon tt in quantum state |0)g through the quantum channel. 



Clearly, the mixture associated with one transmission through BB84(0) is 
Po = {(i|0)+),( |0)x)} which has density operator po, as described in section 

4.2. Now let us introduce a similar way to send one of the random state |0)+ 
and |0)x without requiring S to pick a random basis as in step 1 of BB84(0): 

BB84* (0) 

1. 5 prepares |^') = -^(|0) (g) |0)+ + |1) (g) |0)x) £ Ti. 4 , 

2. S keeps the first (the left one) particle and sends the other (the right one). 

3. S measures in the standard basis “+” the particle he has kept. If the outcome is 
0 then he sets 9 = + otherwise he sets 6 = x . 



In BB84*(0), S never uses coin flips in order to determine which one of the two 
possible states |0)+ or |0)x is going to be sent. The coin is provided by adding an 
extra particle, called the auxiliary system (or ancilla), that is in superposition of 
the two possible outcomes of the coin toss. The auxiliary system is entangled with 
the particle that stores the qubit to be sent. When the the state of the auxiliary 
system is measured then the state of the qubit can be determined. Before the 
measurement, the states of the qubit and the auxiliary system were unknown. 
To see this, consider the standard complete measurement that S applies on |!f'). 
The pure state \'F) can be written as 




When S executes Mq., he will observe the outcome Pq (i.e. which is the projection 
on | 0 )) with probability 

p(0) = (f ||(Po (g) 12 )^) = (f| 0 lal'f) = 
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This means that with probability 5, S observes 0 and I'F) is projected in the 
state 

I'Z'o) = | 0 ) 0 |0)+. (14) 

With probability also p(l) = 1 — p(0) = the standard measurement produces 
the outcome 1 that projects the original state \'F) into \'Fi) defined as 

I'fi) = |l)0|O)x- (15) 

Equations 14 and 15 imply that the receiver TZ is going to receive |0)+ with 
probability p(0) = 1 and |0)x with probability p(l) = 1. On TZ's point of view, 
the mixed state he receives is T>o as it is for BB84(0). Since the density operators 
of BB84(0) and BB84*(0) are the same, TZ has no way to tell what preparation 
S is using to send the qubit. 

Now, consider the mixed state T>b = {(cos^ |bo)), (sin^ |bi))}, and its 
purification 

1'1'b) = cos ^|0) 0 |bo) + sin ^|1) 0 |bi). 

If the leftmost particle is measured with the standard measurement then 
with probability Pb(0) = cos^ | the outcome 0 will be observed. We see that 
Pb(0) and p(0) (defined above) are not the same but, as we have seen in section 
4.2, T>b and T>o share the same density operator pQ. The two purifications |>f") 
and I'I'b) are therefore two different purifications for the same mixed state. 

It is always possible to replace a probabilistic procedure as BB84(0) by an 
equivalent one where no coin toss is necessary. Consider an arbitrary mixture 
^ = {(pt |si))}i=i where each |si) belongs to the Hilbert space H. Let Hi be an 
Hilbert space of dimension 1 = . A system •Pp € H± 0 in pure state 

i 

|>Pi5) = ^ V^|i) 0 |si) (16) 

i=l 

is called a purification of T>. The auxiliary system (the leftmost register) is used 
to store indices of all possible coin toss outcomes. Let w G {1, . . . , ^} be written 
in binary as Binary (w) = wq,wi, . . . ,wi. A value for w is encoded in pure state 
|w) = |wo) 0 |wi) 0 ... 0 |wi) € Hi- The state of equation 16 is guaranteed, 
when the leftmost particle is measured with M-|_, to give the outcome w with 
probability Pw in which case the rightmost particle is projected in state |sw) . This 
is exactly the behaviour of mixed state V that is provided by the entanglement 
of an auxiliary system with the pure states in T>. 

One strange thing about purifications is that it allows to perform operations 
upon the result of a coin toss without knowing the outcome of the coin toss. For 
instance, in BB84*(0) it is not necessary for S to measure the register he keeps. 
Not measuring it changes nothing to what TZ will receive, it is still the mixed 
state T>o that is sent. But if S does not measure the kept register then he does 
not know what state has actually been transmitted although he knows that it 
has been chosen according to Pq- The only way of doing this classically would 
be to require the sender to forget what he had done. 
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6.2 Purifying a Coin Toss 

The most simple case of purification is probably the coin toss. Suppose that one 
instruction in a quantum protocol requires to flip a biased coin C{p) as follows 



C{p) 



1 with probability p, 

0 with probability 1 — p. 



Unlike classically, it is possible to store a coin toss in a quantum memory without 
forcing the outcome. This is straightforward to achieve by preparing a quantum 
register tf'c(p) in state 



l^c(p)) — a/p |i) + \/i — P |o)- 

By measuring \'I'c{p)} with measurement M+ one gets the outcome Pq with prob- 
ability 1—p and the outcome P.| with probability p. As long as the measurement 
is not performed, the register |S/(p)) keeps both possibilities in superposition. 
The coin toss itself is a quantum object. Classically, a coins toss does not exist 
until the outcome is known. 

Assume that a quantum register is in mixed state p € H and Vq and Vi are 
two unitary transforms acting on states in Ti.. One application of quantum coin 
toss is the purification of the sequence of instructions: 

1. Pick r G {0, 1} such that P (r = 1) = p, 

2. Apply Vr to p for some arbitrary density operator p ^TL. 

Let us define an unitary transformation V G 7^2 ® acting on a one qubit 
register l?c(p) in addition to the register in state p. Transformation V simply 
applies Vb to p if register |!?'c(p)) = |0) and applies Vi to p if |^'c(p)) = |1)- Let 
E = {ei, . . . ,em} be an orthonormal basis for 7i. Transformation V is defined 
as 



|0) O |ei) 


1-^ |0) (g) Vo |ei) 


0) 0 62) 


1-^ 0 ) (g) Vq 62) 


|0) 0 |e^) 


|0) (g) Uo |em 


1) 0 ei) 


1-^ |1) (g) Vi ei) 


|1) 0 |e„) 


1 — > |1) (g) Vi je^ 



The fact that both Vb and Ui are unitary ensures that V is also unitary. Using a 
quantum coin toss and transformation V, one can purify the above instructions 
as follows: 

1. Prepare a register in state |tf'c(p)) 

2. Apply U|<Z'c(p)) C/O- 
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It can easily be shown that both procedures generate the same mixture. Measur- 
ing the leftmost register allows to select the coin toss outcome and consequently 
which of Vq or V\ has been applied on the rightmost register. 

In the above construction, the number of outcomes for the coin toss is irrel- 
evant. Any coin toss distribution D = {{pi,i)}i can be purified the same way. 

6.3 Purifying a Measurement 

The purification process is not only possible on 5’s side of the quantum channel. 
It can also be done on the receiving end. Typically, TZ is supposed to measure a 
particle tt with some measurement M picked according to a distribution Dm = 
{{pi, Ml), {p 2 , M 2 ), ... ,{pi. Ml)}. A purification of such a process would allow 
to perform all possible measurements in superposition until TZ wants to know 
what measurement and what outcome he gets. When he does so, TZ gets the 
outcome of a measurement picked according distribution Dm ■ 

Without loss of generality, let us assume that Dm = {(p+,M_|_), (px,Mx)}. 
The BB84 coding scheme corresponds to the special case = Px = Assume 
that a quantum register !?c(p+) in state G Tl 2 contains a purification 

of the coin toss C(p+) as described in the previous section. Let tt be a qubit 
that TZ is supposed to measure according to Dm- We now define the unitary 
transformation Um G Ti .2 0 Ti -2 that perform the required purification: 



coin TT 

Um ^ |O)0 |0) 

| 1 ) ®| 0 ) ^;^| 1 )®(| 0 ) + | 1 )) 

|0) (g) |1) |o)0 |1) 

|1) ®|1) ^^|1)0(|O)-|1)). 

The register containing the coin toss is the auxiliary system of the purification. 
Transformation Um stores the measurement in the auxiliary system and stores 
the outcome in the system that encoded particle tt initially. Let \b)g be a BB84 
qubit and let |'fc(p+)) be the purification of an arbitrary coin toss. One can verify 
that 



Um{Wc(p+)) ® \b)9) = i/p^\Q) ® (\/p-h(0)|O) ± Vp+(1)|1)) 

+V^|1) ® (a/px( 0)|O) ± \/px(l)|l)) 

where Pfj{h) is the probability of the outcome b whenever the initial state is 
\b)g and the measurement is Mg^. If the leftmost register is measured with M+ 
then the outcome Pq is obtained with probability p+ and the rightmost register 
contains the possible outcomes of measurement M+ when applied to the BB84 
state \b)e- Similarly, the outcome Pz: is obtained with probability px and the 
rightmost register contains the possible outcomes of measurements Mx when 
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applied on \h)g. If measurement M+ is applied on the rightmost particle first, 
an outcome b is obtained without the measurement being completely specified. 
The leftmost register is in superposition of all possible measurements that can 
produce outcome b when the initial state is \b)g. Purifying a random measure- 
ment and measuring the rightmost register (the outcome register) allows to get 
the outcome of an unknown measurement! 

Suppose TZ is asked to perform a measurement M € {M+,Mx} according to 
distribution Dm on the particle tt. Let \b)g & Ti .2 be an unknown BB84 state for 
7T that is received by TZ through the quantum channel. The following implements 
a purification of this procedure given a register containing the coin toss |tf'c(px)) 
for choosing according to Dm- 

1. TZ applies \Wm) = b"M|!^c(px)) ® l^)«- 

The state \^m) contains a superposition of both possible measurements. If 
at some point after the BB84 transmission, TZ must announce the outcome of 
a random measurement for 0 e {+, x} according to Dm, then the mea- 
surement M+ applied to the rightmost register gives a possible outcome. To fix 
the measurement M , TZ only measures with M+ the leftmost register. If Pq is 
obtained then the selected measurement was M = M+ otherwise M = Mx was 
selected. Applying Um to a coin toss C(i) register and a BB84 particle tt purifies 
TZ’s part of the BB84 transmission. The same technique can be used for sets of 
any N possible measurements by using a A^-outcome quantum coin toss. 

The measurement M+ performed by TZ on the leftmost register does nothing 
to the leftmost register and is formally defined a,s M = M_|_ ® I 2 . It is an 
incomplete measurement since it has only 2 distinct eigenvalues but acts in 7 ^ 4 . 

6.4 Prom One Purification to Another 

In this section we shall argue that two purifications of the same mixed state are 
in fact equivalent. By equivalent we mean that one can transform a purification 
to another purification of the same mixture by acting only on the auxiliary part 
of the purification. This is a result of Hughston, Jozsa and Wootters [22]. 

Let us consider the unitary transformation U* = SH (see section 2.3) acting 
in Ti.2 when applied on the auxiliary part of \W): 

= {SH (g)l2)-^{\0) 0 |0)+-k |1) 0 |0)x) 

= ^((|O)-|l))®|O)+ + (|O) + |l))0|O)x) 

= ^((|0) - |1)) ® (cos^jbo) -sin^jbi)) -1- 

(|0) -k |1)) 0 (cos^jbo) -ksin^jbi))) 

= cos ^|0) 0 jbo) -I- sin ^|1) 0 jbi) 
o o 

= I'^b). 



(C/*0l2)|>Z') 
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Applying U* on the auxiliary part of |<f') transforms purification |!f') into pu- 
rification |<fB)- This allows S to decide which preparation T>q or T>b he wants to 
use even after the particle is gone! S just prepares the purification of T>q and 
sends to TZ the leftmost particle keeping the auxiliary system. If at some point 
S wants to change his mind and wants to prepare the photon already sent using 
preparation T>b instead, then he just applies U* upon the auxiliary part. 

The above construction is not a coincidence. Any pair of purifications {W) and 
{W') for the same density operator is always related by an unitary transformation 
acting only on the auxiliary part of the purifications [22] . Let 'f' G Hm Hn be a 
purification of the density operator p G Hn- The Schmidt decomposition [22,38] 
allows to write ['?') as a sum of bi-orthogonal terms. This means that there 
exists r < min(m, n) (depending only on p) and two sets of orthonormal vectors 
E = and F = {fi}C=i in Tim and Tin respectively, such that^ 

r 

I'f') = XI ® (1'^) 

where as usual \ui\^ = 1. In equation 17, the set is the set of eigen- 
values of p G Tin - Let \'!/') G be another purification of density operator 

p G We make the assumption that the auxiliary system in W belongs to the 
same Hilbert space Tim than the auxiliary system for W. This can be done with- 
out loss of generality by taking the larger Hilbert space whenever the auxiliary 
systems for •f' and W are defined in different Hilbert spaces. From the Schmidt 
decomposition, there exists two sets of orthonormal vectors E' = and 

F' = {filial such that 



m = (18) 

Clearly, the unitary transformation W € Tirn defined for all z € {1, , r} as 

W : |ei) |e') 

is such that 

(VF® 1„)|<F) = |<F') 

since the subsystem in is the same mixed state p in both purifications. In 

this case, it can be shown that F = F'. 

^ More precisely, let jlT') G TLi ® 'H 2 be an arbitrary pure state and let p = |!7'){^| 
be the associated projection. Let pi = Tr-^i (p) and p 2 ~ Tr-H 2 (p) be the par- 
tial trace of p over Tii and TL 2 respectively. It is always the case that po and 
pi share the same nonzero eigenvalues (with the same multiplicity) for 

r < min (Dim(77i), Dim(772)). The Schmidt polar form of [iP) is described in equa- 
tion 17 and is such that vectors in {eijf^i and vectors in {fi}f^i are orthogonal. 
This is why we call this a decomposition as a sum of bi-orthogonal terms. 
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6.5 Purifying a Quantum Protocol 

The main idea behind Mayers’ proof is that purifications can be applied not 
only to the cases we have seen previously but to any sequence of instructions 
that might occur in a protocol. One party can, without having any chance of 
being caught, execute his part of the protocol at the quantum level, meaning 
that every action is purified. 

Let us first review what set of instructions one party involved in a quan- 
tum protocol should be able to perform. The instructions should be enough to 
execute what we considered intuitively a quantum protocol (that is basically a 
pair of algorithms usually not quantum connected by a classical and a quantum 
channels). The algorithm of party V defines, at each step, a transition function 
from the actual view V G V to the new view V' G V for an arbitrary set of pos- 
sible views V. The view V can be seen as the memory a player needs in order to 
complete the execution of the protocol. The following describes what V should 
be able to execute at step h > 0 given the view V;i_i after step h — 1 (i.e. Vo is 
the initial secret input if needed) : 

1. Picks a random bit r such that P (r = 1) = p and sets Vh = Vh-i U {{h, r)}, 

2. Computes a function / : V — > V and sets Vh = Vh-i U {(h, /(V))}, 

3. Announces, through the classical channel, the value v € {0, 1} of some mem- 
ory register and sets Vh = Vh-i U {(/i,u)}, 

4. Sends a qubit in state depending on the view V through the quantum chan- 
nel, 

5. Stores in memory a classical bit received through the classical channel, 

6. Measures a qubit received through the quantum channel using measurement 
M chosen according the view V. The outcome Om is added to the actual 
view Vh = Vh-i U {{h, Om)} (note that not measuring the received qubit is 
also covered by this case since it is equivalent to apply measurement 1). 

Intuitively, if one party V can execute all these instructions then V can execute 
any quantum protocol. As we have seen in sections 6. 1,6. 2, and 6.3, most of 
the above instructions can be purified if they are considered isolated. The only 
missing piece is how to compose them in a such a way that the properties of 
purification remain. Suppose V has a quantum memory QM € where TL is large 
enough for storing all possible states in V. Suppose that initially 7^’s quantum 
memory QM S is in state |QMq) where QMg is state Vq encoded in quantum 
registers. During the course of actions, QM will evolve to a quantum mixture 
since mixed states will be received through the quantum channel and entangled 
registers will be sent. We denote by pQn{h) the mixed state of QM after step h > 0. 
V purifies each of the above instructions as follows: 

1. V prepares a new quantum register in state |^^c(p))- The quantum memory 
is now in state Pqm(/i) = Pqm(^ — 1) 0 l^'c(p))- 

2. Let C/y € be an unitary transformation implementing /. It might be the 
case that V has to append few quantum registers in some pure state \4>) in 
order to satisfy the requirement that C// is unitary. The new state of QM is 
Pqm(/i) = Uf{p^n{h - 1) 0 |(^)). 
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3. V applies the standard measurement M+ on the quantum register i?v con- 
taining V. He announces 0 if the outcome is Pq and announces 1 if the 
outcome is Pz.. The new state p^n{h) for QM can be computed in terms of 
Pqm(^ — 1) as described in equation 7. 

4. V simply sends away the quantum register containing the qubit to be sent. 

This operation mixes the state of QM. The new state /Oqm(/i) is 1) with- 

out register i?v (formally speaking Pqm(/i) is the partial trace of Pqm(/i — 1) 
with respect to register R^). The state of the qubit can be determined by 
a sequence of coin tosses previously generated and other quantum registers. 
The purification is performed by an easy generalization of the method de- 
scribed in section 6.1. 

5. V adds a new register in state \b) to QM where b G {0, 1} is the bit received 
through the classical channel. The new state is pQn{h) = pqm(/i — 1) (g) \b). 

6. In this case, V does not store the outcome but all possible outcomes of all 
possible measurements as we have seen in section 6.3. It is always possible to 
determine an unitary transformation Um which applies each measurement 
specified by the state of some registers in QM. This is because the set of 
registers involved in the choice of the measurement behaves like a set of 
quantum coin tosses. 

Suppose a protocol performed between V and V' has the property that the final 
view of V' corresponds to the mixed state p' G Ti. li V purifies each step then 
the state of the system 'R that contains V's quantum memory QM plus all what 
V' has generated and received during the execution, is in pure state j'?') G 
where Ti' is the Hilbert space for V''s part of the system. Moreover, since Vs 
behaviour is indistinguishable from the non-purified execution of the protocol 
(that is the main property of the purification process) we have that \'R) is a 
purification of p' . 

To get to know more about how to purify a quantum protocol, consult [33] 
and [34]. 

6.6 Quantum Bit Commitment Is Impossible 

We are now ready to conclude the impossibility of quantum bit commitment. 
Suppose BC is a candidate for a secure quantum bit commitment scheme between 
Alice, the sender, and Bob, the receiver. A secure protocol for bit commitment 
must be 

Concealing: Let Pbc(O) G Ti' and Pbc(1) G Ti' be the density operator corre- 
sponding to the mixed state received by Bob when Alice commits 0 and 1 
respectively. In order for the commitment to be concealing, it must be the 
case that Pbc(O) « Pbc(1)- 

Binding: Once the committing phase completed, Alice can open with success 
only one bit b. 

We show that if the concealing condition holds then necessarily the binding con- 
dition does not. First, if Pbc(O) and Pbc(1) are sensibly different then they can 
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be distinguished with good probability by a quantum measurement. For more 
information about how distinguishable are different density operators, consult 
[21]. In the following, we assume that Pbc(O) = Pbc(1) instead of being approxi- 
matively the same. To see how to address the case where Pbc(O) and Pbc(1) are 
close but not identical, consult [32]. Alice’s attack, that is described next, is the 
same in both cases. 

Assume that Alice purifies the commitment of 6 = 0 using the technique 
describes in the last section. The resulting quantum system 'Fq G H ^ H' that 
contains Alice’s QM and what has been generated and received by Bob, is a 
purification of Pbc(O). At revelation, Alice can open 6 = 0 since all information 
that was needed in order to commit honestly to 6 = 0, is still accessible in QM. 
After the revelation phase. Bob accepts the opening of 6 = 0 exactly as it is in 
the honest case (this is what purification is all about). 

Alice could have purified the commitment of 6 = 1 instead. This would result 
in a quantum purification F\ G TL®'H' for the mixed state Pbc(1) corresponding 
to the commitment of 6 = 1. When Fi is created, QM contains all the neces- 
sary information to open 6=1. Since Pbc(1) = Pbc(O) it follows that \Fi) is a 
purification of Pbc(O) as well. 

Assume Alice wants to open 6=1. We now take full advantage of the purifi- 
cation of Pbc(O). In last section, we have seen that for any pair of purifications 
Fq and Fi for the same density operator Pbc(O) there exists an unitary transfor- 
mation W gTL such that 



\Fi) = {W®lu')\Fo). 

Moreover, the transformation W depends only upon the protocol specification 
and is independent on what Bob does. Alice can therefore open 6=1 after 
having applied W on her part of the system (i.e. which is QM) just by following 
the revelation protocol honestly. 

In conclusion, here is the always successful attack against the quantum bit 
commitment scheme BC: 

1. Alice purifies the commitment of 6 = 0, 

2. If Alice wants to open 6 = 0, she executes the revelation protocol from her 
part of the purification stored in QM, 

3. If Alice wants to open 6=1, she applies W on QM and follows the revelation 
protocol for 6 = 1 . 

This strategy is indistinguishable from the honest one and therefore can be 
applied to any candidate for a quantum bit commitment scheme. We conclude 
that no quantum bit commitment exists. 

7 Conclusion 

It is now clear that in quantum cryptography, security in two-party games is 
much more difficult to achieve than the security of Alice and Bob against the 
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world. Security against the world is what is needed in order to achieve secret-key 
distribution and that, quantum cryptography can do for free. However, two-party 
games involve two parties that, although collaborative, do not trust the integrity 
of the other. In this model, we discussed the fact that quantum oblivious transfer 
is reducible to bit commitment which is not known/expected to be true in the 
classical world. We have also seen that the security conditions for bit commit- 
ment cannot be met by any purely quantum process. After Mayers’ had shown 
that no quantum bit commitment exists, the spontaneous attitude was to try 
taking advantage of subtle assumptions appearing in the theorem statement. 
Most of those approaches use classical assumptions that have to hold only tem- 
porarily. The goal being to build from such assumptions a commitment scheme 
that is both concealing and binding even after the assumption is withdrawn. 
Unfortunately, none of these attempts provided more than what classical cryp- 
tography alone provides [13]. Mayers’ attack is now known to apply in scenarios 
lying beyond the original statement of the no-go theorem. It can also be shown 
that perfect quantum coin tossing is also impossible [28]. However, quantum 
bit commitment is possible under physical (not computational assumptions). In 
[40] , it has been shown that if one party is restricted to perform a subset of all 
possible generalized quantum measurements then quantum bit commitment is 
possible. The subset of possible measurements can be chosen in such a way that 
the assumption is likely to hold in any practical situation that will occur in a 
foreseeable future. In other words, the existence of an unitary process that breaks 
a quantum protocol does not necessarily imply that it can be implemented in 
real life. There is an inherent asymmetry between the complexity of physical 
processes involved in the execution of quantum protocols and those involved in 
quantum algorithms breaking them. It is not clear if Mayers’ attack will be im- 
plementable in real life for all practical quantum bit commitment protocols. It 
would be interesting to characterize the physical complexity of the attack against 
protocols designed to make it difficult to implement. 

Although they aim at solving the same kind of problems, the structure of 
quantum and classical cryptography differ. In a particular situation, one may 
offer advantages over the other. One thing we did not talked about yet is the 
possibility to use hybrid systems. Quantum encoding of information, like the 
BB84 coding scheme, allows to send classical information in an oblivious way. 
The receiver does not know for sure what was the original classical bit, and 
the sender does not know whether or not the receiver got the bit sent. But the 
sender, by announcing the transmission basis 6, allows the receiver to determine 
whether or not he received the bit perfectly. This simple primitive, although not 
powerful enough to provide bit commitment, cannot be done classically using no 
assumptions. It would be interesting to see if it can be used in a purely classical 
setting in order to weakened the classical assumptions required for a particular 
task. We have already seen that it is the case for oblivious transfer based on bit 
commitment; what about other cases? 

In conclusion, quantum information is more elusive than its classical counter- 
part. One must always take care when analyzing and reasoning about quantum 
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protocols. Although the Holy Grail is not achievable quantumly (nor classi- 
cally), quantum cryptography offers a good alternative to classical cryptography. 
Quantum cryptography provides an independent framework to complexity-based 
cryptography and several open questions remain in order to get a better under- 
standing of its possibilities and limits. 
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Abstract. The fact that most presently-used cryptosystems cannot be 
rigorously proven secure and hence permanently face the risk of being 
broken motivates the search for schemes with unconditional security. 
The corresponding proofs however must be based on information the- 
ory rather than complexity theory. One reason for this is the lack of 
known lower bounds on the running time of algorithms solving certain 
computational problems such as the discrete-logarithm problem or the 
integer-factoring problem. At the beginning of an information-theoretic 
analysis of cryptosystems stands Shannon’s definition of perfect secrecy, 
unquestionably the strongest possible security dehnition, and his well- 
known inequality giving a lower bound on the key length of every per- 
fectly secret cipher, thus suggesting that such a high level of conhden- 
tiality cannot be realized in any practical scheme. This pessimism has 
later been qualified by several authors who showed that unconditional 
security can be achieved in many special but realistic scenarios. Some of 
these approaches are described in this introductory overview article. 



1 Computational versus Information-Theoretic Security 

The security of many presently-used cryptosystems, e.g., of all public- key cryp- 
tographic schemes, is based on the assumed hardness of computational problems 
in number theory such as the integer-factoring problem (e.g., RSA [28]) or the 
problem of computing discrete logarithms in certain finite cyclic groups (e.g., 
Diffie-Hellman [13]). Such a cryptosystem is called computationally secure. 

Up to date, no practical cipher has been proven computationally secure. 
Note first of all that it is an inherent fact that computational security can only 
hold under certain assumptions on the adversary’s computer resources. In other 
words, a computationally infinitely powerful opponent can break every system 
of this type by exhaustive search over the key space. 

One reason for the lack of proofs of cryptographic security is that in com- 
plexity theory, actually proved lower bounds on the running time of algorithms 
solving specific problems are either rather weak (and useless in cryptography) 
or valid only in special computational models (e.g., [32]). Unfortunately, such 
bounds are not directly useful neither since it can never be guaranteed that 
the adversary is restricted to this particular model. So-called “provable compu- 
tational security” is always conditional and means that an efficient reduction 
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from a well-known problem that is believed to be hard, such as the discrete- 
logarithm problem or the decisional Diffie-Hellman problem, to breaking the 
proposed system can be given, thus showing that the cryptosystem is secure if 
some widely-accepted standard complexity assumption is true (e.g., [11]). 

Finally, it has been shown that the integer-factoring as well as the discrete- 
logarithm problem can be solved in polynomial-time by a quantum computer, 
i.e., a computing device that is able to exploit certain effects from quantum 
mechanics [31]. The security of most public-key cryptographic protocols is based 
on the hardness of at least one of these problems. 

Consequently, practical computational security is always conditional and ad- 
ditionally faces the risk of being broken by progress in the theory of efficient 
algorithms or in hardware engineering. On the other hand it appears desirable 
from both a scientific and practical point of view to design cryptosystems whose 
security is not based on any assumptions and can be proven rigorously. Because 
of the reasons discussed above, such security proofs must be based on informa- 
tion theory (i.e., probability theory) rather than complexity theory. There have 
been made various attempts at realizing this type of security, some of which we 
describe in this overview paper. 

The outline of the article is as follows. We start with an introduction to some 
basic definitions and facts from probability and information theory (Section 2). 
Then, a definition of perfect secrecy, undoubtedly the strongest possible security 
definition in cryptography, is given (Section 3). Shannon’s pessimistic theorem 
suggests that perfect secrecy is necessarily impractical. However, we describe a 
number of approaches that could qualify this pessimism. All these constructions 
have in common that some kind of limitations are needed on the amount of infor- 
mation that an opponent obtains. Realistic scenarios have been described where 
such an upper bound on the adversary’s knowledge can for instance be based 
on noise, an inherent property of every physical communication channel (Sec- 
tion 4). Motivated by these examples, a model has been presented and analyzed 
that shows how two parties can generate a secret key from common randomness 
by communication over an insecure but authentic (or even completely insecure) 
channel (Sections 5 and 6). 

2 Basic Concepts of Information Theory 

Information theory goes back to Claude Shannon and his celebrated 1948 pa- 
per [30]. Examples of good and detailed introductions into the field are [10] 
or [.5]. 

2.1 Probability-Theoretic Preliminaries 

In this section we introduce some basic probability-theoretic concepts. For a 
detailed introduction see for example [14]. 

Let A be a countable set. The distribution Px of a discrete random variable 
X with range A is a mapping 

rt>o 



Px : A 
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with J2xex Px{x) = 1. If A” C R, the expectation of X is defined as 

E[X] := . 

Let / be a convex function. Then we have 

E[/(X)]>/(E[X]) . (1) 

Inequality (1) is called Jensen’s inequality. Most of the basic inequalities in 
information theory follow directly from this inequality. 

The joint distribution PxiX 2 --Xm of N random variables is a probability 
distribution over the set ffi x T 2 x • • • x Tjv • The random variables Xi , X 2 , ,Xx 
are called statistically independent if 



PxiX2- Xn{xi,X2, ■ • ■ , xn) = Pxi (a;i) • Px2(x2) • ■ ■ Pxn(xn) 



for all Xi, X 2 , • ■ ■ , xx, i-C., when the joint distribution equals the product of the 
marginal distributions. 

An event A is a subset of the range of a random experiment. By Prob [A] we 
denote the probability of A, i.e., the sum of the probabilities of all the outcomes 
belonging to A. The conditional distribution of X, given that the event A (with 
Prob [A] > 0) occurs, is defined as 



Px\a{x) 



Prob [{A = x} n A] 
Prob [A] 



As a special case, a random variable can be conditioned on the event 



A-.= {Y = y} 



that another random variable Y takes a particular value y. The resulting distri- 
bution 

Px\Y{x,y) := Px\Y=y{x) 

is called the conditional distribution of X given Y. Note that the function 
Px\y{' ! ■) with two arguments is not a probability distribution on A x 3^, but 
for every y G y, the function Px\y{' ; y) is a distribution on A. 



2.2 Bar Kochba, Uncertainty, and Entropy 

The following story has been reported about Bar Kochba (the “Son of the Star”), 
leader of the Jews during their independence war in 135 B.C., who defended his 
fortress heroically against a superior number of Romans [27]. 

“It is also said that Bar Kochba sent out a scout to the Roman camp who was 
captured and tortured, having his tongue cut out. He escaped from captivity and 
reported back to Bar Kochba, but being unable to talk, he could not tell in words 
what he had seen. Bar Kochba accordingly asked him questions which he could 
answer by nodding or shaking his head. Thus he acquired from his mute scout 
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the information he needed to defend the fortress. [...] It occurred to me that, 
if the story of Bar Kochha were true, then he would have been the forefather of 
information theory”. 

In the so-called Bar-Kochba game, one player has to find out, by asking 
yes/no-questions, what the second player has in mind. This game was extremely 
popular among writers in Budapest at the beginning of this century. Regardless 
of the (possibly adaptive) strategy of the questioner he cannot, with at most 20 
questions, distinguish between more than 2^^, i.e., about one million, different 
objects (because there are only ways of answering the 20 questions differ- 
ently). On the other hand, given that the object to be found comes from a set 
of size at most n, then [log 2 n~\ questions are always sufficient if the following 
strategy is used. Let a fixed encoding of all the objects by binary strings of length 
20 be defined. Then, the strategy is to ask whether the first, second, ... bit of 
the encoding is 1. 

This example shows the close relationship between the Bar-Kochba game and 
binary coding. For a random variable X that takes one of n = 2^ values with 
equal probabilities, the minimal average number of questions in the Bar-Kochba 
game, as well as the minimal average codeword length of a prefix-free binary 
code, is k. Note that this bound cannot be beaten even if a strategy is used with 
variable codeword lengths for the different outcomes. We call this quantity the 
uncertainty or entropy of X, denoted by H{X). 

If the size of the range df of X is not a power of 2, then the average number 
of questions required obviously lies between [log 2 IdflJ and [log 2 |A’|]. When 
combining r independent realizations of the random variable X, the optimal 
average number of questions required to learn all the outcomes together lies 
between [log 2 \X\”\ and [log 2 |df . Taking such combinations into account, we 
obtain for the entropy of X that 



r r r 



< l0g2 \X\ + 



1 

r 



for all r > 1, hence 

H{X) = log2 I-TI . (2) 

Equation (2) is called Hartley’s formula and gives the entropy of a uniformly 
distributed random variable. 

We consider an example of a random variable Y that is not uniformly dis- 
tributed. Let y = {a,b,c,d}, with Pyia) = 1/2, Pyib) = 1/4, Py{c) = Py{d) = 
1/8. We conclude from the above that two questions are always sufficient, hence 
H{Y) < 2. However, there is a better strategy of asking questions or equivalently, 
a prefix-free code with a shorter average codeword length, namely. 



a 0 , b'^10, C'^110, d^lll. 



The average number of questions required when asking the bits of the codewords 
is 



1 

2 






7 

4 



(< 2 ) . 
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On the other hand, this code (or strategy of asking questions) is optimal. Note 
that in this example, the length of the codeword of a letter is log 2 (l/p), where p 
is the probability of this letter. The quantity log 2 (l/p) is sometimes called the 
unexpectedness of a elementary event with probability p. 

A code is optimal if the length of every codeword is equal to the unexpect- 
edness of the corresponding outcome. Hence, for a random variable X for which 
each probability pi is of the form pi = 2“®* for an integer Si, we have 

i?(A) =pilog2(l/pi) -hp2log2(l/p2) H • (3) 

Equation (3) is called Shannon’s formula, and is a generalization of Hartley’s 
formula (2). By combining independent realizations of the random variable for 
the encoding, one obtains that this formula gives the entropy of any discrete 
random variable. The following definition was given by Shannon in 1948. 

Definition 1. [30] The entropy H(X) of a random variable X with distribution 
Px is given by 



H{X) = H{Px) := ^ -Px{x) ■ log 2 Px{x) = E [- log 2 Px] ■ 

xGX 



The joint entropy of random variables X\, X 2 , . . . , Ajv is the entropy of the joint 
distribution, i.e., 

H(AiA2 • • • Ajv) := H{Px,x,-x^) ■ 

Moreover, Definition 1 also covers the case where the distribution is conditioned 
on an event A. We write Pl{X\A) := H{Px\a) or, if A = {Y = y}, 

H{X\Y = y) := H{PxiY=y) ■ 

The entropy of a binary random variable with probability distribution [p, 1 — p] 
is given by the binary entropy function 

h{p) := -plog2p- (1 -p)log2(l -p) 



(see Figure 1). 

The entropy of a random variable X is always non-negative and upper 
bounded by the binary logarithm of the cardinality of the range, i.e., 

0 < H{X) < log2 |A| . (4) 

The second inequality, which is intuitively clear when taking into account the 
discussion above, follows from Jensen’s inequality for concave functions: 

H{X) = E [log 2 (l/Px)j < log 2 (E [l/Px]) = log 2 |A| . 

Equality on the left hand side of (4) holds if and only if there exists an element 
Xq & X with Px{xo) = 1, whereas equality on the right hand side is equivalent to 
the fact that X is uniformly distributed over X, i.e., that Px{x) = f/\X\ holds 
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for all X G X. In the special case where the outcome of the random experiment is 
a binary string of length n, the second inequality of (4) implies that the entropy 
of the random variable can be equal to, but not exceed n. 

For random variables X and Y, we have 

H{XY)<H{X)+H{Y) , (5) 

with equality if and only if X and Y are statistically independent. 

2.3 Conditional Entropy and Mutual Information 

When considering inequality (5) it appears natural to interpret the (non-nega- 
tive) quantity H{XY) — H{X) as the entropy of the random variable Y when 
X is given. 

Definition 2. The conditional entropy ofY when given X is defined as 

H{Y\X)-.= H{XY)-H{X) . (6) 



o 



Note that in contrast to all previously introduced entropies such as H{X) = 
H{Px), H{XY) = H{Pxy), or H{Y\X = x) = H{Py\x=x), the conditional 
entropy H(Y\X) is not the entropy of a specific probability distribution, but 
rather the expected value of the entropies H{Y\X = x), i.e., 

H{Y\X) = Ex[H{Y\X = x)] . 

Equation (6) can be rewritten as 

H{XY) = H{X) + H{Y\X) . 

This chain rule can be generalized as follows. For random variables Xi, . . . , Xx 
and an event A we have 



H{XiX 2 ■ ■ ■ Xx\A) = H{Xi\A)+H{X2\Xi,A)+- ■ ■+H{Xx\XiX2 ■ ■ ■ Xx-i, A). 
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It is a fundamental property of the conditional entropy that 



H{Y\X)<H{Y) , 



( 7 ) 



which is a consequence of inequality (5). (However, note that H{Y\X = x) > 
H{Y) is possible, as the following example illustrates. Let Y be 100 independent 
flips of an unfair coin with Prob [“heads”] = 99.9%, and let X be the number 
of “heads” in the sequence. Then, although of course H{Y\X) < H{Y) holds, 
we have 



1.141 



100 • h(0.999) = H{Y) < H{Y\X = 50) 




96.35 . 



Of course the event {X = 50} is extremely unlikely.) 

Informally spoken, inequality (7) can be interpreted as the fact that infor- 
mation can never increase uncertainty. More precisely, the quantity 

I(Y; X) := H{Y) - H{Y\X) = H{X) + H{Y) - H{XY) > 0 (8) 

is the amount of information that X gives about Y . The last expression of (8) 
shows that I{Y;X) is symmetric in its arguments, i.e., that 



I{X;Y) = I{Y;X) 



holds. The quantity I{X; Y) is called the mutual information between X and Y. 
Analogously, one can define I{X;Y\A) := H(X\A) — H{X\Y,A) and 



I{X; Y\Z) := H{X\Z) - H{X\YZ) = Ez[I{X; FjZ = z)] . 



2.4 Graphical Representation of Information-Theoretic Quantities 

Let X and Y be random variables. Then the quantities H{XY), H{X), H{Y), 
H{X\Y), H{Y\X), and I{X\ Y) can be graphically represented as shown in Fig- 
ure 2. The union of all inner regions corresponds to H{XY). The representation 



H(X) 




H(Y) 



Fig. 2. Two Random Variables 



has the property that the quantity corresponding to the disjoint union of some 
regions equals the sum of the quantities corresponding to these partial regions. 
For a detailed discussion of this measure-theoretic representation of information- 
theoretic quantities see [37]. 



224 



Stefan Wolf 




The case of three random variables is shown in Figure 3. Note that the 
quantity corresponding to the region in the middle, 

R{X-Y-Z) := I{X-Y)-I{X-Y\Z) , 

is symmetric in X, Y, and Z and can be negative. All the other regions represent 
information-theoretic quantities that are always non-negative. 

Figure 4 illustrates independent symmetric bits X and Y and Z := X ®Y. 
Figure 5 shows a Markov chain. 




3 Perfect Secrecy and Shannon’s Pessimistic Theorem 

In the following we consider the problem of information-theoretically secure key 
generation and message transmission over an insecure channel. This section con- 
tains Shannon’s definition of perfect secrecy of a cipher and his well-known 
theorem which appears to imply that unconditional security is necessarily com- 
pletely impractical. In the following sections however it is demonstrated that 
information theory cannot be used only to prove such pessimistic results. It is 
somewhat surprising that when the models and security requirements are only 
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Fig. 5. A Markov Chain X^Y^Z^U^V^W 



slightly modified, then practical information-theoretic security can be achieved 
in many realistic scenarios. 

Let us start with the classical scenario of a symmetric cryptosystem with 
message M, key K, and ciphertext C (see Figure 6). The following security 



Alice 



M 




Bob 



K 



Eve 



K 



Fig. 6. A Symmetric Cryptosystem 



definition appears to be the strongest possible for such a cryptosystem. 

Definition 3. [29] A cipher is called perfectly secret if the ciphertext reveals 
no information about the message, i.e., if I{M;C) = 0 holds. o 

Equivalent characterizations of this condition are that M and C are statistically 
independent, or that the best strategy of an eavesdropper who wants to obtain 
(information about) the message from the ciphertext is to use only the a priori 
knowledge about M and to discard C. 

Perfect secrecy can even be achieved without any computation, as the exam- 
ple in Figure 7 shows. As everyone can easily see, the ciphertext alone reveals 
no information about the message at all in this example! (For more on “visual 
cryptography,” see [26].) 

This visual cipher is a graphical implementation of the one-time pad that 
was already proposed by Vernam in 1926 [34]. Here, the message is a string 
M = [mi,m 2 , . . . jTOat] of length TV, and the key is a uniformly distributed TV- 
bit string K = [ki, lt 2 , ■ ■ ■ , Tcat] which is independent of M. The ciphertext C is 
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Fig. 7. Visual Decryption 



computed from M and K by 

C = [ci, C 2 , . . . , Cat] = [mi © fci, m 2 © ^ 2 , . . . , niN © k^] =: M ® K . 

The one-time pad is perfectly secret. To see this, observe first than when 
given the cleartext and the ciphertext, then the key is uniquely determined, i.e., 
H{K\MC) = 0. Furthermore, I{K', C\M) = N (remember than N is the block 
length) follows then from H{K) = N and I{M\K) = 0. Finally, I{M\C) = 0 
holds because H{C) < log 2 jCj = N. A graphical representation of the quantities 
is given in Figure 8. 




Unfortunately, the price one has to pay here for perfect secrecy is that the 
communicating parties must share a secret key which is at least as long as the 
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message (and can only be used once) . In view of this property, the one-time pad 
appears to be quite impractical and can only offer an advantage in time: the 
key can be safely transmitted whenever this is possible, and the message can be 
secretly sent whenever this is needed. 

However, Shannon showed that perfect secrecy cannot be obtained in a 
cheaper way, i.e., that the one-time pad is optimal with respect to key length. 

Theorem 4. [29] For every perfectly secret cryptosystem (with unique decod- 
ability), we have 

H{K) > H{M) . 

For a proof of Shannon’s theorem, note first that unique decodability means 
H{M\CK) = 0. The graphic representation of the involved quantities is given 




in Figure 9. We have b> a because I{C; K) > 0, and 

F[ {K) >b— a-\-c>a — a-\-c=H (M) . 

This concludes the proof. 

4 Optimistic Results by Limiting the Adversary’s 
Information 

Unfortunately, Shannon’s theorem implies that perfect secrecy is possible only 
between parties who share a secret key of length at least equal to the entropy of 
the message to be transmitted. Hence every perfectly secret cipher is necessarily 
as impractical as the one-time pad. On the other hand, the assumption that 
the adversary has a perfect access to the ciphertext is overly pessimistic and 
unrealistic in general, since every transmission of a signal over a physical channel 
is subject to noise. 

Motivated by this, many models have been presented and analyzed in which 
the information the adversary obtains is limited in some way, and which offer 



228 



Stefan Wolf 



the possibility of information-theoretically secure key agreement and, under the 
assumption that insecure channels are always available, secret message trans- 
mission (using the one-time pad with the generated secret key). 

The condition that the opponent’s knowledge is bounded can for instance be 
based on noise in communication channels [36], [12], [1], [21], on the fact that the 
adversary’s memory is limited [22], [9], or on the uncertainty principle of quantum 
mechanics [2]. In this article, we describe a number of models that belong to the 
first category. 

4.1 Wyner’s Wire-Tap Channel 

Consider the following (simple but generally unrealistic) situation first. Assume 
that two parties Alice and Bob are connected by an authentic and noiseless 
binary channel, and that a wiretapper Eve receives the bits sent over the channel 
with some error probability e > 0. In other words, her wire-tap channel is a 
binary symmetric channel (BSC) with error probability e (see Figure 10). 



Alice 



Bob 




BSC(e) 



Eve 



BSC(e) 




Fig. 10. A Binary-Symmetric Wire-Tap Scenario 



In this situation, Alice can send a message bit M to Bob by sending an A^-bit 
block [Xi,X 2 , . . . , Xn], where Xi,X 2 , . . . , X^-i are independent and symmetric 
bits and Xjsi is such that 



Ai 0 W 2 © • • • 0 Aiv = M . 



Eve’s error probability when guessing the bit M with the optimal strategy is 

1 -( 1 - 2 £:)^ 

2 ’ 

and converges to 1/2 exponentially fast in N. Moreover, the information that 
Eve obtains about M from the noisy versions of Ai, A 2 , . . . , A^r does not exceed 
1 — h{p). By repeating this process, Alice and Bob can agree on a highly secret 
key of arbitrary length. 

The following, more general scenario of the wire-tap channel (see Figure 11) 
was introduced and analyzed by Wyner [36] and simplified by Massey [16]. In 
this setting, Alice and Bob are connected by a discrete memoryless channel 
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Fig. 11. Wyner’s Wire-Tap Channel 



(characterized by its conditional probability distribution Py\x)i whereas Eve 
receives a noisy version Z of Bob’s channel output Y . Alice chooses the input to 
the first channel according to some distribution Ex- 
it was shown in [36] that in this scenario, Alice and Bob can agree on a highly 
secret key at a some rate in many situations (for instance in the case where all 
the random variables are binary and the channels are binary-symmetric with 
error probabilities not 1/2 and not 0 nor 1, respectively). Exact definitions of 
the security requirements to such a key, as well as of the secret-key generation 
rate, are given below. 

However, the assumption that the adversary only receives a degraded ver- 
sion of the legitimate receiver’s information is unrealistic in general. This fact 
motivated the study of generalizations of Wyner’s model. 

4.2 Broadcast Channels 

Csiszar and Korner [12] considered the situation where the sender Alice is con- 
nected to the receiver Bob by a discrete memoryless channel (with conditional 
distribution Py\x)^ &nd where also the adversary Eve receives a noisy version Z 
of X over a different channel (characterized by Pz\xy^ he., the channels are not 
necessarily independent). As before, Alice chooses the channels’ input X accord- 
ing to some distribution Px- The broadcast scenario is illustrated in Figure 12. 
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Fig. 12. The Broadcast-Channel Scenario 
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For this setting, the secrecy capacity Cs{Pyz\x) has been defined as the 
maximal rate at which Alice and Bob can generate a virtually secret key. Without 
going into the details of the definitions and the key-generation protocols, we 
remark that both the size of the generated secret key as well as the amount of 
information leaked to the adversary are defined in terms of a rate, i.e., measured 
as average information per channel use. 

In [12], the following lower bound on the secrecy capacity, depending on the 
conditional distribution Pyz\Xi has been proved: 



In equality (9), the maximum is taken over all possible distributions Px of X. 
Intuitively, this condition implies that if the legitimate partners initially have 
some advantage over Eve in terms of the information about each other’s random 
variables, then this advantage can be fully exploited to generate a secret key. 

However, if Alice and Bob have no such advantage to start with, then gen- 
erally no secret-key agreement is possible in this model. Let us for instance con- 
sider the situation where the channels are independent and binary-symmetric 
with error probabilities e and 5 (see Figure 13). In this special scenario, the 



Cs{Pyz\x) > max [/(A; Y) - /(A; Z)] . 



(9) 



Alice 



Bob 
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X — Y 




8 



8 
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Fig. 13. Independent Binary-Symmetric Broadcast Channels 



secrecy capacity is given by 




S > e 

otherwise . 



In other words, secret-key agreement is impossible unless Bob’s channel is better 
than Eve’s. Unfortunately, it may often be impossible to guarantee that the 
adversary’s channel is noisier than the one of the legitimate partner. 
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4.3 The Power of Interaction 

The following example, given in [21], illustrates how much more powerful inter- 
action can be in contrast to one-way transmission for unconditionally secure key 
agreement. This is a motivation for the study of a more general model of secret- 
key agreement from common information by insecure two-way communication. 
We discuss this model in Section 5. 

We start with the situation shown in Figure 13, where 0 < i5 < e < 1/2. As 
mentioned above, no secret-key agreement is possible. However, let us assume 
an interactive variant of this model with an additional noiseless and insecure 
but authentic channel. (Note that channels with virtually these properties often 
exist in reality, e.g., telephone lines.) Surprisingly, the situation is now entirely 
different although the additional channel can be perfectly overheard by Eve. 

Observe first that the additional public-discussion channel allows to invert 
the direction of the noisy channel between Alice and Bob by the following trick. 
First, Alice chooses a random bit X and sends it over the noisy channel(s). This 
bit is received by Bob as Y and by Eve as Z. Bob, who wants to send the message 
bit C to Alice, computes C ®Y and sends this over the noiseless public channel. 
Alice computes (C © T) 0 A, whereas Eve can compute (C © T) © Z. This 
perfectly corresponds to the situation where the direction of the main channel 
is inverted (see Figure 14). 
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Fig. 14. Inverting the Main Channel 



Bob 

c 



The second crucial observation is that this is exactly the binary-symmetric 
setting of Wyner’s wire-tap channel of Section 4.1, allowing secret-key agreement 
at some rate. We conclude from this example that the possibility of feedback 
from Bob to Alice can substantially improve the legitimate partners’ situation 
towards a wire-tapping adversary. 
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5 Interactive Secret-Key Agreement from Common 
Randomness 

5.1 The Scenario and the Secret-Key Rate 

Maurer has proposed the following interactive model of secret-key agreement 
by public discussion from common information [21]. The parties Alice and Bob 
who want to establish a mutual secret key have access to realizations of random 
variables X and Y , respectively, whereas the adversary knows a random variable 
Z . Let PxYZ be the joint distribution of the random variables. Furthermore, the 
legitimate partners are connected by an insecure but authentic channel, i.e., a 
channel that can be passively overheard by Eve but over which no undetected 
active attacks by the opponent, such as modifying or inserting messages, are 
possible (see Figure 15). 




Alice 



Bob 



r I 

Eve Z 

Fig. 15. Secret-Key Agreement by Public Discussion from Common Information 



Note that it is natural to consider this model by the following reasons. First, 
it is an interactive (i.e., two-way) generalization of Wyner’s and Csiszar and 
Korner’s models. It is not necessary to assume the existence of noisy communi- 
cation channels in this interactive setting because equivalents of such channels 
can be obtained by the same trick as shown in Section 4.3 for inverting the 
binary-symmetric channel. Secondly, the assumption that the parties have access 
to correlated randomness appears to be realistic in many contexts. An example 
of a possible physical implementation is described in Section 5.2. 

In analogy to the previous models, where the channels could be used many 
times independently, we assume here that the parties have access to a number of 
independent realizations of the corresponding random variables. Consequently, 
the so-called secret-key rate is defined in this model as the maximal rate at 
which Alice and Bob can generate a highly secret key by communication over the 
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insecure channel, where the required number of channel uses from the definition 
of the secrecy capacity is replaced by the amount of randomness (i.e., the number 
of realizations of X and Y) necessary for the generation of a key of some length. 

Definition 5. The secret-key rate S{X]Y\\Z) of the distribution Pxyz is the 
maximal number R with the following property. For every £ > 0, there is a 
number Nq such that for all N > Nq, a protocol exists that uses authenticated 
public discussion and satisfies the following conditions. (We denote the block of 
the first N realizations of the random variable X , [Xi, X 2 , . . . , Xx], by X^ , and 
analogous for Y and Z. Furthermore, let U be the entire communication held 
over the public channel during the execution of the protocol.) There exist k-bit 
strings S and S' with 



k>{R-e)N, (10) 

H{S\X^U) = 0 , (11) 

H{S'\Y^U) = 0, (12) 

Prob [S' yf S"] < e , (13) 

I{S;Z^U)<e, (14) 

H{S)>k-e. (15) 



In other words, these conditions guarantee that Alice (11) and Bob (12) can 
generate almost uniformly distributed (15) keys of a certain length (10) that are 
equal with high probability (13) and about which the adversary has virtually no 
information (1)). o 

The notion of the secret-key rate is stronger than the one of secrecy capacity 
in the sense that in the definition of Cs{Pyz\x)j it was required that the rate 
at which Eve obtains information about the key is small, whereas here, the total 
amount of information about the entire key must be negligible. (However, one 
can show that the secret-key rates with respect to the weaker and the stronger 
definitions are equal [19].) 

The secret-key rate is a quite fundamental and mathematically interesting 
property of a distribution Pxyz- One challenging problem in this context is to 
enlighten the exact relationship between Pxyz and S{X',Y\\Z), i.e., to deter- 
mine the secret-key rate of a given distribution, or at least to decide whether the 
rate is non-zero and secret-key agreement is possible in principle in a particular 
situation. We discuss these questions in Section 6. 

5.2 The Satellite Scenario and Phases of Secret-Key Agreement 
Protocols 

The following realistic special scenario was proposed in [21] and completely an- 
alyzed in [25]. Assume that a satellite sends out random bits at very low sig- 
nal power and that Alice, Bob, and Eve receive these bits over independent 
binary-symmetric channels with error probabilities a, (3, and £, respectively (see 
Figure 16). 
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Fig. 16. The Satellite Scenario 



In general, we may have to assume that Eve has a better antenna than the 
legitimate partners, and hence a possibly substantially lower error rate. It is a 
somewhat surprising fact that secret-key agreement is always possible in this 
scenario (unless Eve has a noiseless access to the satellite bits or either Alice or 
Bob obtains no information at all about these bits). 

In the following, we describe a protocol for secret-key agreement in the satel- 
lite scenario. Such a protocol is often interpreted as consisting of three phases. 
As mentioned, Alice and Bob possibly start in a situation in which the adversary 
has an advantage over the legitimate partners with respect to the information 
about each other’s random variables. The objective of the first phase, advantage 
distillation, is to generate an advantage over the opponent by exploiting the au- 
thenticity of the public channel. However, Alice and Bob do generally not share 
a mutual string after this phase. Hence, an interactive error-correction phase, 
information reconciliation, is required. Finally, the resulting mutual but only 
partially secret string must be transformed into a (shorter) highly secret string. 
This final phase is called privacy amplification. In the illustration of the three 
phases in Figure 17, the relations between the amounts of information that Bob’s 
and Eve’s knowledge provide about Alice’s string are shown. The protocol steps 
are described in detail in the next three sections. An interactive demonstration 
of the phases is provided on the Internet [7]. 

5.3 Advantage Distillation 

We assume the satellite scenario described in the previous section with error 
probabilities 0 < a, (3 < 1/2 and 0 < £ < min{o;,;9}, i.e., the adversary has an 
initial advantage over the legitimate partners in terms of the error probabilities. 
Let us consider N independent realizations of the random variables. Then, we 
have 

N 

I{X^; Y^) = -Yi) = N -{I- h(a(l - /3) + (1 - a)P)) , 

2=1 
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Fig. 17. Phases of a Secret-Key- Agreement Protocol 



Z^) = Y, I{X^ ; Zi) = N -{I- h{a{\ - e) + (1 - a)s)) , 

i^l 

N 

njN. = z,) = N -{I- h{pii - e) + (1 - m) , 



i.e., 

I{X^\ ytV) < {/(A^; Z^) , Z^)} . 

The basic idea of the advantage-distillation phase is that Alice and Bob use the 
noiseless discussion channel for exchanging information about their bits in an 
insecure but authentic way with the objective of identifying bits that are correct 
with a higher probability than others. We describe two different protocols that 
achieve this. The protocols are based on a repeat code and on the exchange 
of parity-check bits. The repeat-code protocol is simpler to describe, but very 
inefficient with respect to the required number of realizations of the random 
variables, whereas the parity-check protocol appears to be quite efficient. For a 
detailed analysis of the protocols, see for example [21], [20], [24]. 

Repeat- Code Protocol. The repeat-code protocol works as follows (see also 
Figure 18). Let A be a fixed parameter. Alice chooses a random bit C and 
computes 

:= [C0 Ai,C© A2,...,C0 Ajv] , 

where stands for the repeat-code block [C, C, . . . , C] of length N. She sends 
this “blinded” repeat-code block over the public channel. Bob computes from 
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Fig. 18. The Repeat-Code Protocol 



this the block (C^ © X^) © , and sends an “accept” message over the 

discussion channel if and only if the resulting block is a repeat-code block 
(C")^ = [C", C', . . . , C"]. Note that this is exactly the situation where Alice 
and Bob have either the same bit in all positions, i.e., , or opposite 

values in each position, i.e., X^ = Y^ © 1^. It is intuitively clear that Alice 
and Bob not only obtain an arbitrarily low probability of the event that C ^ C 
for large N this way, but also that they improve their position compared to the 
opponent by accepting only in situations of apparently highly reliable transmis- 
sion. However, also the adversary Eve, who can compute © X^) © , 

takes advantage of a greater value of N . It is a somewhat surprising result that 
for arbitrary values of a,/? < 1/2, and e > 0, Alice and Bob end up in an 
advantageous situation (both with respect to the error probabilities and to the 
information about each other’s strings) for sufficiently large N. 

We show this with respect to the error probabilities of Bob and Eve when 
guessing the bit C for the special case a = f3 (which we can assume without 
loss of generality because noise can always be added). We denote by abe the 
probability that the single bit 0 sent by Alice over the conceptual channel (i.e., 
C © A is sent over the public channel) is received (i.e., decoded) by Bob as b 
and by Eve as e. Then we have 

aoo = (1 - a)^(l - e) + i 
aoi = (1 - a)^e + a^(l - e) , 

Ckio = ceil = (1 — ct)ce . 
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We assume that N is an even integer. The probability 7 that Bob accepts 
the Wbit block sent by Alice and that C ^ C holds is 

7 = (aio + ctii)^ , 

whereas the probability 6 that Bob accepts and Eve guesses the bit incorrectly 
is lower bounded by 1/2 times the probability of the event that the block {C^ © 
which Eve obtains consists of A/2 O’s and the same number of I’s, 

“ 2 (a/ 2) 2 (2V“ooaoi)^ ■ 

Clearly, the actual message bit C is statistically independent of the block Eve 
receives if this event occurs. It is not difficult to see that 



“^^CHooCHoi > CTlO + CHii 

holds for a < 1/2 and e > 0, meaning that Bob’s error probability decreases 
asymptotically faster than Eve’s and is hence smaller for sufficiently large N. 
One can even show that Eve has less information than Bob about the bit C for 
sufficiently large N. 

Parity-Check Protocol. The second protocol we discuss uses parity-check 
bits and works as follows. Alice computes the parity bit Ai © X 2 and sends it 
over the public channel. Bob accepts if and only if Ai © A 2 = hi © I 2 , be., if the 
parities of Alice’s and Bob’s first two bits are equal. In this case, the values Xi 
and Yi are chosen by Alice and Bob, respectively, for the next protocol round 
(whereas otherwise, the bits are discarded). This step is repeated a number of 
times. After this first round it may be necessary, depending on the initial error 
probabilities, to carry out some additional rounds (see Figure 19). 

It is not difficult to see that r rounds of the parity-check protocol are equiva- 
lent to the repeat-code protocol with 2 ’'-bit blocks with respect to the resulting 
error probabilities. However, it is obvious that the parity-check protocol is much 
more efficient. 

5.4 Information Reconciliation 

During advantage distillation, the partners Alice and Bob compute (possibly 
distinct) strings Sa and Sb, respectively, about which the adversary also has 
some information. At the end of the key-agreement protocol however, Alice’s 
and Bob’s strings must be equal and highly secure, both with overwhelming 
probability. The information-reconciliation phase consists of interactive error 
correction and establishes the first of these two conditions. 

After advantage distillation. Bob has more information about Alice’s string 
than Eve has, and after information reconciliation. Bob should exactly know 
Alice’s string. (A more general condition would be that after information recon- 
ciliation, Alice and Bob share a string that is equally long as Sa and Sb-) This 
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Fig. 19. Three Rounds of the Parity-Check Protocol 

leads to a lower bound on the amount of error-correction information E that 
must be exchanged. Namely, Bob must know Sa completely with overwhelming 
probability when given Sb and E, i.e., 

0 « H{Sa I Sb, E) > H{Sa \ Sb) ~ H{E) , 



and hence 



H{E) > H{Sa I Sb) - 

On the other hand, the uncertainty of Sa from Eve’s viewpoint can as well be 
reduced by H{E) in the worst case when Eve learns E (see Figure 20). 
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Fig. 20. The Effect of Information Leaked During Information Reconciliation 



A good protocol for information reconciliation should both minimize the 
amount of information leaked to the adversary and be efficient. Examples of 
protocols satisfying both conditions are given in [G] . We sketch two examples of 
these protocols. The first is optimal with respect to the information leaked but 
completely inefficient, whereas the second protocol leaks more information but 
is more efficient as well. Let us assume that Alice and Bob have finished the 
advantage-distillation phase in the satellite model. In other words, Bob’s string 
is a (good) estimate about Alice’s string, i.e., the same string with a (small) 
number of errors. 

Random-Label Protocol. The first, non-interactive, protocol works as fol- 
lows. Alice randomly chooses a function / mapping {0,1}"^ {0,1}™ (where n 
is the length of Sa and Sb and m can be roughly equal to H{Sa\Sb)) among all 
such functions and sends (a description of) / together with /{Sa) to Bob, who 
determines the string S'j^ with minimal Hamming distance from Sb that satisfies 
= /{Sa)- According to the discussion above, and because m « H{Sa\Sb), 
this protocol is optimal with respect to the leaked information. However, it is 
completely inefficient, hence useless, by the following two reasons. First, the de- 
scription of the random function / would require m2” bits. Furthermore, 
cannot be efficiently determined from /, /(S'a), and Sb- 

Binary-Search Protocol. The idea of the second protocol is to interactively 
detect the positions where Alice’s and Bob’s strings differ and to correct these 
errors. Alice and Bob start by comparing the parity bit, i.e., the XOR-sum, of 
the bits in randomly but identically chosen substrings S'j^ and S'^ of Sa and 
Sb, respectively. If there are bit errors between the strings Sa and Sb, then the 
resulting parity bits differ with probability 1/2 over the choice of the substrings. 

If the parities are different, Alice and Bob have detected substrings containing 
an odd number of errors with respect to each other, and they can locate one of 
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them by partitioning the substring into two subsets of equal size, one of which 
clearly contains an odd number of errors as well (and has different parity sums). 
This splitting procedure is continued until the error is localized and can be 
corrected by Bob (see Figure 21). 
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Fig. 21. Finding and Correcting an Error by Comparing Parities 



Alice and Bob repeat this procedure until all the errors are found and cor- 
rected. If n is the length of the strings Sa and Sb, this protocol requires the 
exchange of [log 2 n] bits per error to be corrected. Hence it is efficient if the 
strings of Alice and Bob differ in only a few bit positions. 

After information reconciliation, Alice and Bob have agreed on a mutual 
string S about which Eve has a possibly considerable amount of information 
consisting of both a priori knowledge but also information (e.g., physical bits or 
parities thereof) leaked during information reconciliation. 



5.5 Privacy Amplification 

Privacy amplification is the art of shrinking a partially secure string S' to a 
highly secret string S' by public discussion. Hereby, the information of the ad- 



Unconditional Security in Cryptography 241 



versary about S can consist of physical bits, of parities thereof, or other types 
of information (see Figure 22). 




Fig. 22. Eliminating Eve’s Knowledge by Privacy Amplification 



The following questions related to privacy amplification were studied and 
answered in [4], [3]. What is a good technique of computing S' from SI What 
is the possible length of S', depending on this shrinking technique and on the 
adversary’s (type and amount of) information about S'? 

It is quite clear that the best technique would be to compute S' (of length 
r) from the n-bit string S by applying a random function / : {0, 1}" — > {0, 1}’’. 
However, Alice and Bob would have to exchange r2” bits of information to 
agree on such a function. On the other hand, there exist relatively small classes of 
functions with “random-like” properties. Examples are so-called universal classes 
of hash functions, which turned out to be useful for privacy amplification. 

Definition 6. A class Ti. of functions h mapping a set A to a set B is called 
universal if for all x,y G A, x y, we have 

ProhhGMHx) = Hy)] = 1 ^ ) 

where h Gr T~L stands for the fact that h is chosen randomly in hi according 
to the uniform distribution. In other words, a function that is chosen randomly 
from a universal class behaves like a completely random function with respect to 
collisions . o 

An example of a universal class of functions, mapping {0, 1}" to {0, 1}’', of car- 
dinality 2"'’' are the linear functions. There exist even smaller classes. For more 
examples and lower bounds on the size of universal classes, see for example [33]. 

We analyze the following type of privacy amplification protocols. First, Alice 
chooses a random function h from a fixed universal class 7i of hash functions 
mapping n-bit strings to r-bit strings for some r to be determined, and sends 
(the description of) h publicly to Bob, i.e., also Eve learns h. Then Alice and 
Bob both compute S' := h{S). 
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Let us consider the question how long the virtually secure string S' can be, 
depending on the type and amount of Eve’s knowledge about S. Note first that 
the fact that Eve has some information about a string S is another way of saying 
that given Eve’s entire knowledge U = u about S, the random variable S is not 
uniformly distributed, i.e., 

H{S \ U = u) < n . 

In this case we say that Eve has n — H{S\U = u) bits of (Shannon-) information 
about S. Because the resulting string S' must satisfy 

H{S' \C,U = u)^r 

(where r is the length of S' and C is the communication held over the public 
channel), privacy amplification can be interpreted as “distribution smoothing.” 
Intuitively, one might think that if Eve has t bits of information about S, 
then the length r of the resulting string S' can be roughly n — t (see Figure 23). 
This fact was shown to be correct if Eve has deterministic information about 









Universal Hashing 

' 


Eve’s Information 





Fig. 23. Can Eve’s Knowledge Be Simply Cut Away by Universal Hashing? 



S', i.e., if Eve knows the value g{S) for some fixed function g [4]. However, if 
Eve’s information is not deterministic, it is not true in general that n — t secure 
bits can be extracted when Eve has t bits of Shannon information about S, 
as the following example shows. Let Ts|£/=«('So) = 1/2 for some sq € {0,1}", 
and Ps\u=u{s) = 1/(2 • (2" — 1)) for all n-bit strings s yf sq. Then, we have 
H{S\U = u) « n/2, but no secure string S' (of any length, let alone n/2) can be 
extracted because Eve precisely knows S, hence also S' = h{S), with probability 
1 /2 (where h is the randomly chosen hash function) . This means that S' cannot 
be highly secure. 

The answer to the question what a suitable information (or entropy) measure 
is with the property that the above intuition (illustrated in Figure 23) is true, 
was given in [3] as follows. 

Definition 7. For a random variable X with distribution Px, the collision prob- 
ability Pq{X) is defined as 

Pc{X) := ^ Pxixf . 
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The collision entropy or Renyi entropy (of order 2) of X is 

H 2 {X) ■.= -log^{Pc{X)) = -log,{J2 Pxixf) . 



o 

The collision probability is the probability that two independent realizations of 
the random variable X show the same value. Equivalently, it is the probability 
of guessing a realization of X correctly with the optimal strategy on the basis 
of an independent realization of X, where the distribution of X is unknown. 
Jensen’s inequality implies 

H2{X) = - log 2 (E [Px]) < E [- log 2 Px] = H{x) . 

It was shown that Renyi entropy is a good information measure in the context 
of privacy amplification by universal hashing. Theorem 8 (see also Figure 24) 
implies that the intuitive fact illustrated in Figure 23 is true with respect to 
Renyi instead of Shannon information. 

Theorem 8. [3] Let S be an n-hit string with conditional distribution Ps\u=u 
(given Eve’s knowledge U = u about S) and Renyi entropy H 2 {S\U = u), let 
G be the random variable corresponding to the random choice (with uniform 
distribution) of a member g of a universal class TL of hash functions mapping 
n-bit strings to r-bit strings, and let S' = G{S). Then 



r > H{S'\G, U = u)> H 2 {S'\G, U = u) > r 



2’ — H2{s I u=u) 
In 2 



HjfS |U=u) 




Universal Hashing 
S’ =G(S) 



S’ 




Eve’s Information 



<2'“/ln2 



H(S’ I G, U=u) 



Fig. 24. Renyi Entropy Can Be Extracted by Universal Hashing 
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Intuitively, Theorem 8 states that if the length r of S' is chosen as 

r:=H 2 {S\U = u)-s , 

where s is a security parameter, then the resulting string S' is highly secret, 
where the security increases exponentially in s. 

Note that this result in not tight and can be improved in many cases. One 
reason for this is the counterintuitive fact that Renyi entropy can be increased 
by giving side information, so called spoiling knowledge. By using this property 
it was shown in [8] that Renyi entropy of order a, for 1 < a < 2, is a good 
measure with respect to privacy amplification as well. 

One important question finally concerns the influence of the information 
exchanged during the information-reconciliation phase on the Renyi entropy of 

5 from Eve’s point of view, hence on the length of the key that can finally be 
generated. It was shown in [8] that learning r physical bits cannot reduce Renyi 
entropy by significantly more than r but with negligible probability. 

6 Generalizing the Model 

The scenario where the parties receive independent noisy versions of the same 
random source’s signal was completely analyzed in [25], [23]. Possible real-world 
realizations of the required information source are a satellite sending random bits 
at low signal power, a pulsar, a deep-space radio source, or randomly polarized 
photons. However, many more general scenarios can be thought of where the 
parties receive a different type of correlated information. The assumptions that 
the parties obtain noisy versions of a common signal or that they have access 
to a great number of independent realizations of the same random experiment 
can be modified or dropped. An example is the scenario where Alice, Bob, and 
Eve obtain a number of playing cards from the same stack [15]. As another 
generalization, the adversary can be assumed to be more powerful. For instance, 
it may often be unrealistic to guarantee that the opponent is only a passive 
wire-tapper. 

6.1 Arbitrary Random Variables 

Let us have a closer look at the scenario of arbitrary correlated information, i.e., 
of an arbitrary random experiment Pxyz with many independent realizations 
(see Figure 15). Note that this is exactly the setting for which the secret-key 
rate S{X\Y\\Z) is defined. In this general case it is a fundamental and natural 
problem to determine S{X]Y\\Z) for a given distribution Pxyz, or at least 
to decide whether the quantity is non-zero. The following bounds depend on 
information-theoretic quantities directly derived from Pxyz- The lower bound 

max {/(A; Y) - I{X; Z ) , /(F; X) - I{Y- Z)) < S{X- Y\\Z) 

is a consequence of the above-mentioned result by Csiszar and Korner [12] and 
states that an existing advantage over the adversary can be fully (and even 



Unconditional Security in Cryptography 245 



non-interactively) exploited to generate a secret key. As shown in the previous 
sections, this bound is not tight: Secret-key agreement can also be possible in 
scenarios where Alice and Bob start in a “bad” situation. On the other hand, 
the following upper bound was shown in [21]: 

S{X-Y\\Z) <^m{I{X-Y) , I{X-Y\Z)} . (16) 

The bound (16) is quite intuitive and states that Alice and Bob cannot extract a 
larger amount of secret key than the mutual information between their random 
variables X and Y (with and without giving Eve’s random variable Z). However, 
this bound is not tight neither and can be improved as follows. Trying to reduce 
the quantity /(A; Y\Z), the adversary Eve can send the random variable Z over 
a channel, characterized by order to generate the random variable Z. 

Clearly, 

S{X- Y\\Z)< S{X; Y\ \Z) < /(A; Y\Z) (17) 

holds for every such Z. This motivates the following definition of a new con- 
ditional information measure, the intrinsic conditional mutual information be- 
tween X and Y when given Z, which is the infimum of I{X]Y\Z), taken over 
all discrete random variables Z that can be obtained by sending Z over a chan- 
nel, characterized by Pz\z- The situation is illustrated in Figure 25. (Note that 
i?(A; Y]Z) >0 always holds for the particular Z which minimizes I{X]Y\Z).) 




Fig. 25. The Intrinsic Conditional Information 



Definition 9. For a distribution Pxyz, the intrinsic conditional mutual infor- 
mation between A and Y when given Z, denoted by I(X;YIZ), is 

I(X;YIZ):=M |/(A;F|Z) : Pxyz = ^Pxyz-Pziz^ , 

where the infimum is taken over all possible conditional distributions P-z\z- ° 
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Intuitively, the intrinsic conditional information I(X;Y I Z) measures only the 
information between X and Y, which is possibly reduced by Z, but not the 
additional information brought in by giving Z. If for example X and Y are 
independent symmetric bits and Z = X ®Y, then we have I{X; Y\Z) = 1, but 
I{X;YIZ) = 0. 

It follows from the above that 

S{X;Y\\Z)<I{X;YiZ) . 

The fundamental problem of generally determining S{X; YjjZ) for given Pxyz 
has remained open, but there is some evidence that the intrinsic information is 
exactly the right quantity linking the secret-key rate with the joint distribution 
of X, Y, and Z. 

Conjecture. S{X; Y\\Z) = I{X; YIZ) . 

However, even the generally easier problem of completely characterizing the 
distributions Pxyz for which S{X]Y\\Z) > 0 holds, i.e., for which secret-key 
agreement is possible in principle, has not been fully answered yet (see Figure 26). 




Fig. 26. Characterizing when Secret-Key Agreement Is Possible 



6.2 Secret-Key Agreement Secure against ACTIVE Adversaries 

In all the previous models, we have assumed that the adversary is only a passive 
wire-tapper or equivalently, that the public channel connecting Alice and Bob is 
authentic. In many cases, secret-key agreement is even possible when dropping 
this condition, i.e., when the adversary is able to modify or introduce messages 
without being detected. See [17], [23], [35] for a discussion and analysis of this 
model. 

Note first that a protocol secure against active opponents cannot be guaran- 
teed to work in every situation because Eve, who is assumed to have full control 
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over the public channel, can block the channel permanently, preventing any com- 
munication between the legitimate partners. Hence the best that can be achieved 
by such a protocol is that Alice and Bob detect an adversary’s active attacks and 
reject the outcome of the protocol unless secret-key agreement is successful (see 
Figure 27). More precisely, it is required that if Eve chooses to remain passive. 
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Fig. 27. Unconditional Security Against Active Opponents 



then secret-key agreement is successful (as in the passive-adversary model). On 
the other hand, if Eve is active, then with overwhelming probability either Alice 
and Bob both reject the outcome of the protocol, or secret-key agreement is suc- 
cessful despite Eve’s attacks. (Note that it is not requested that both Alice and 
Bob accept the outcome in the latter case. Such a perfect synchronization of the 
acceptance decisions cannot be achieved in the presence of an active adversary, 
who can always block the final message that makes the second party accept.) 

Clearly, secret-key agreement can only be possible in the active-adversary 
scenario if Alice and Bob have some initial advantage over Eve in terms of the 
random variables A, F, and Z. More precisely, this advantage must be such that 
Eve is not able to perfectly simulate Alice towards Bob and vice versa. In terms 
of the random variables, this is the condition that she cannot generate, using 
her random variable Z, a random variable X with the property that given only 
F, X cannot be distinguished from A, and vice versa. Formally, this means that 
there do not exist conditional distributions or Py\z such that either 



or PxY — PxY holds, respectively. If one of these distributions existed, secret- 
key agreement would be impossible because Bob could not tell Alice and Eve 
apart (or vice versa). 
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A surprising result however is that if secret-key agreement is possible also in 
the presence of an active adversary, then asymptotically the same key-generation 
rate as in the passive-adversary case can be achieved. 

Finally, also privacy amplification can be executed in the case where the 
adversary is active. However, the restrictions on the opponent’s knowledge about 
the partially secret key must be stronger [23], [35]. The idea is to use the string S 
twice, first as a key for unconditionally authenticating a message containing the 
description of a randomly chosen hash function, and as the argument for this 
function. 

7 Concluding Remarks 

We have described several techniques and results in the context of unconditional 
security in cryptography. The mentioned possibility and impossibility results 
can give a rough picture in what settings such provable confidentiality can be 
achieved. It is an important point in this context that despite Shannon’s well- 
known pessimistic result, unconditional security is not necessarily impractical. 
A number of fundamental questions in this field are open today. In particular, 
the ultimate goal is the realization of a system that is practical and provably 
unconditionally secure simultaneously. 
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